Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?

[Gadi Evron <ge () linuxbox org>]

On Thu, 15 Feb 2007, Joep Vesseur wrote:
> Gadi,
>
> > [...]
> > One note: although it could just as well be a bug, who says it was not a
> > backdoor in the early 90's?
>  >
> > Also, I understand this does not work on older Solaris/SunOS systems
> > (anyone can verify?) 
>
> I can. It is not present in anything before Solaris 10.
>
> > which adds to my personal interest in the
> > possibility. I refuse to believe someone is that funny/sad.
>
> Not sure what you mean here... You don't believe this is a (very
> unfortunate) accident?
>
>  From where I stand (pretty close to the fire) this is pretty much
> what it looks like (an extended multi-file, multi-entrance-point
> change with unforseen and unnoticed interdependencies).

This needs to be further discussed, as your response here has been
awe-striking.

The remote possibility was raised, and for several reasons:
1. It just didn't seem to be possible such a vulnerability would exist,
yet it does.
2. It was a remote one (not raised by me, btw) which I wanted answers for
rather than let it die under the usual flames.
3. It was raised, we needed to discuss it.

Sun has been completely visible and did full-disclosure on the
vulnerability, how it got there, etc. I have to tip my hat to you and
thank you for your help with this.

I believe the entire industry should thank you, and follow your lead.

This is the first case where I have seen a vendor respond in such
fashion. It is to be commended yet again. You have proven what being open
with the community can achieve.

This is a serious F up on the side of Sun. Everyone makes mistakes
and incidents will happen no matter what. What matters here is how you
responded to the incident when it did happen.

        Gadi.

> Joep