Full Disclosure mailing list archives
Re: Solaris telnet vulnberability - how many on your network?
From: "Adrian Sanabria" <adrian.sanabria () gmail com>
Date: Tue, 13 Feb 2007 19:18:50 -0500
If someone was going to plant a backdoor in Solaris, don't you think they would have chosen a service that most people would leave turned on? The only way I can see someone choosing telnet for a backdoor is if it happened a looooong time ago. So, two things I'm curious about, but too busy (lazy) at the moment to look up: 1. Didn't Sun open up the source to Solaris? I wonder if it looks more like a bug or a backdoor in the source. 2. Did this get reintroduced to Solaris, or has it been there ever since the legacy code was pulled over from SysV? --Adrian P.S. - Apologies if this was answered somewhere, and I missed it. On 2/13/07, Gadi Evron <ge () linuxbox org> wrote:
On Mon, 12 Feb 2007, Oliver Friedrichs wrote: > > Am I missing something? This vulnerability is close to 10 years old. > It was in one of the first versions of Solaris after Sun moved off of > the SunOS BSD platform and over to SysV. It has specifically to do with > how arguments are processed via getopt() if I recall correctly. Hey Oliver! :) Well than, I guess it just became new again. And to be honest, I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. The reason why this vulnerability is so critical is the number of networks and organizations which rely on Solaris for critical production servers, as well as use telnet for internal communication on their LAN (now how smart is that? I'd rather use telnet on the Internet than on a local LAN). Further, there are quite a few third party appliances (some infrastructure back-end) that can not easily be patched running on Solaris (forget fuzzing or VA, people never even NMAP appliances they buy). I am unsure of how long we will see this in to-do items of corporate security teams around the world, but I am sure Sun's /8 is getting a lot of action recently. > > Oliver Gadi. > > -----Original Message----- > From: Gadi Evron [mailto:ge () linuxbox org] > Sent: Sunday, February 11, 2007 10:01 PM > To: bugtraq () securityfocus com > Cc: full-disclosure () lists grok org uk > Subject: Solaris telnet vulnberability - how many on your network? > > Johannes Ullrich from the SANS ISC sent this to me and then I saw it on > the DSHIELD list: > > ---- > If you run Solaris, please check if you got telnet enabled NOW. If > you > can, block port 23 at your perimeter. There is a fairly trivial > Solaris telnet 0-day. > > telnet -l "-froot" [hostname] > > will give you root on many Solaris systems with default installs > We are still testing. Please use our contact form at > https://isc.sans.org/contact.html > if you have any details about the use of this exploit. > ---- > > You mean they still use telnet?! > > Update from HD Moore: > "but this bug isnt -froot, its -fanythingbutroot =P" > > On the exploits@ mailing list and on DSHIELD this vulnerability was > verified as real. > > If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a > strong suggestion. > > Anyone else running Solaris? > > Gadi. > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Solaris telnet vulnberability - how many on your network?, (continued)
- Re: Solaris telnet vulnberability - how many on your network? Michal Zalewski (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Gadi Evron (Feb 13)
- Re: Solaris telnet vulnberability - how many onyour network? Peter Ferrie (Feb 13)
- Re: Solaris telnet vulnberability - how many onyour network? Gadi Evron (Feb 14)
- Re: Solaris telnet vulnberability - how many on your network? Casper . Dik (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Gadi Evron (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Damien Miller (Feb 15)
- Re: Solaris telnet vulnberability - how many on your network? Gadi Evron (Feb 15)
- Re: Solaris telnet vulnberability - how many on your network? Oliver Friedrichs (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Gadi Evron (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Adrian Sanabria (Feb 14)
- Re: Solaris telnet vulnberability - how many on your network? Gadi Evron (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Casper . Dik (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Gadi Evron (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Gadi Evron (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Casper . Dik (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Ham Beast (Feb 13)
- Re: Solaris telnet vulnberability - how many on your network? Joe Shamblin (Feb 14)
- Re: Solaris telnet vulnberability - how many on your network? Casper . Dik (Feb 14)
- Re: Solaris telnet vulnberability - how many onyour network? David Taylor (Feb 14)