Slashdot Mirror
Solaris Telnet 0-day vulnerability
philos writes "According to SANS ISC, there's a vulnerability in Solaris 10 and 11 telnet that allows anyone to remotely connect as any account, including root, without authentication. Remote access can be gained with nothing more than a telnet client. More information and a Snort signature can be found at riosec.com. Worse, this is almost identical to a bug in AIX and Linux rlogin from way back in 1994."
Cue the "It's still more secure than Windows!" comments.
Who the hell even THINKS about enabling telnet on any box these days?
$0.02 (CDN)
See? Your "Linux" thing has more vulnerabilites than Vista! Ha! Yes! I win!
-Bill Gates
Does ANYONE run telnet anymore? There has been no need to run telnet for at least 10 years. If you ARE nuts enough to run it, you would would be even more nuts to have it open to the internet. Can anyone confirm if telnet is enabled by default on Solaris for new installs? I would doubt it - I haven't seen telnet being enabled by default on any unix flavor in at least a decade.
Why would anyone keep the telnet port open anyway? SSH is so much more secure (if set up properly) and is just as easy to use. In fact, I find it easier for some tasks.
Hasn't telnet been the source of many dozens of *nix vulnerabilities in the past? From the synopsis, it sounds like this bug is only there because nobody is working on the telnet codebase anymore - it is likened to the Linux exploit from '94. For my own part, the first thing I do when setting up a *nix system is disable the daemon, and the second is to make sure the firewall blocks the port in all directions.
This is not to say this shouldn't be reported, but I think it is more an example why telnet can realistically be considered obsolete technology, and should always, ALWAYS be disabled by default. It's not Windows, after all.
They give the correct configuration to mitigate the problem. This is kind of a non-story. What's next, a SANS article detailing a "bug" which allows you to set root's password to null, and then anyone can ssh into the machine as root?
I want to delete my account but Slashdot doesn't allow it.
[Dr. Evil] No. Not really. The use of Telnet has been deprecated for the better part of a decade now. Telnet was never really designed with end-to-end security in mind. It's just an easy way to gain shell access with a token login.
Chas - The one, the only.
THANK GOD!!!
"Nobody should be using it anyways" is not an excuse. If it is included, it should be held to the same standard as every other application. In some legacy cases I'm sure telnet is of some use. But regardless the fact that it has a practical use or not is irrelevant.
In a world of acronyms, the words are the real victims.
Then they start a tirade against sending passwords in the clear.
After that they say the fix is not to use telnet.
Putting aside the holier (more secure) than thou attitudes here about telnet security. I've got to say that not using something because it's broken is never a fix (unless you're a manager). The fix is to mend the problem. In the meantime, maybe, avoid the service. but bear in mind, someone still has to fix it.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
This seems to be a good example of both the benefits and drawbacks of an open development model.
The good news is that a third party has informed Sun of the info, who will now fix it.
The bad news is that we have no idea how long people have known about this problem...
Maybe I'm just confused, but doesn't '0-day' mean the exploit was found the day the code in question was released?
I generally don't follow Solaris, and 11 might have just come out, but I seriously doubt 10 and 11 both came out at the same time.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
towel.blinkenlights.nl, that's who.
Actually, recent revs of Solaris install with daemons for remote services (including TELNET) not running unless the individual performing the install explicitly requests the legacy behavior. (Previous versions, as with most *NIX operating systems, enabled most remote services by default.) Typically, therefore, there is nothing to "fix."
This wont work if you have a line on /etc/default/login saying
CONSOLE=/dev/console
This only prevents root from not being allowed to login
You can still login as any other user.
If I was a solaris sysadmin right now I would be doing one of the following.
- Running round like a bastard disabling telnetd/updating my firewall rules.
- Checking my logs very carefully.
- Feeling smug about disabling telnetd immediately after setting up the box.
I like to think it would be the last one, but I have always been a crap sysadmin, so I would probably be going for option 4:
- Failing to notice all my machines getting pwn3d.
http://erratasec.blogspot.com/
Its not a buffer overflow, its just unvalidated input.
Due to the holes in telnet, many Web professionals prefer the more secure SSH, which stands for "Secure Shell." Telnet could now be called "Unsecure Shell," where the "shell" refers to shell access. This level of access is similar to reaching the C: command prompt in DOS, where you have access to the full operating system. Hackers want to gain shell access, so they can wreak havoc with your site as well as damage other sites on the server if multiple sites are hosted.
Yes, we should rewrite all the basic unix utilities in java. This way when multiple people are trying to use a system, nothing would work and the hackers cannot access the machine. Security through Denial of Service.
Sent from my desktop computer
Since noone seems to have bothered posting it yet, "telnet -l -frandomuser randomsolarishost".
So stupid.
AIX does not really support OpenSSH, for that matter. The Linux Toolbox/Bonus Pack doesn't really count, since the software is provided "as is" for all intents and purposes.
I would encourage anyone that they need to harass their marketing rep, and get IBM to "officially" support OpenSSH, and at least supply it on the base AIX install media.
Repeat with me again: its not C/C++, its the developer.
Guns don't kill people, people with guns kill people.
C/C++ doesn't overflow buffers, programmers who don't do proper bounds checking or use methods or classes without bounds checking write code which overflows buffers.
Sure, we can stop using C.
We'll just suddenly and completely rewrite nearly every operating system we use. Yeah, that shouldn't be too hard!
Yeah, sure why not. I always thought it was a bad move from assembly....... now that's coding !!!
My karma is not a Chameleon.
I didn't know anyone still used Telnet. Personally, I gave up that bad habit a long time ago when there was a need to do big things like not have your authentication credentials pass in plain text. Seriously, why is this an issue? Any competent unix sysadmin will be using SSH. The first thing I do when setting up a new unix server is to visually verify that the telnet daemon has been turned off or comment it out in the inetd.conf. Sounds like some attempt at FUD against a very stable, mature, and good operating system. This article is just, well, a moot point.
Yeah, it would be very good to reimplement the OS in Java. But before you start with the OS, why not try something simpler, the java runtime engine?
Patents Drive Free Software as Hurricanes Drive Construction Industry
Coming from a dot-com background, it was a given that telnet was disable and replaced with OpenSSH or something similar. I'm amazed though at how many large companies are still running telnet. Sure, they have most of their servers behind firewalls, but since the largest number of breakins are still attributed to internal hacks telnet needs to be considered obsolete.
--
Luck is just skill you didn't know you had.
If thou see a fair woman pay court to her, for thus thou wilt obtain love
It takes this to make windows look secure :)
Please. If you want to avoid buffer overflows, burn your own EEPROMs with a couple of leads and a 9v.
I mod down pyramid schemes in sigs.
From: Steve Ballmer
Subject: Pwned
Body:
Microsoft:1 - Unix: NIL LOLOLOLOLOLOL!!!!!!!111
Love Steviepoo
Solaris 5.10 is run at our University and telnet is STILL running. I might as well login to telnet as root and shut down telnet, though that I'm sure would be seen as naughty.
to be using telnet, and there hasnt been for about the last 5 years easily. I will say again, there is no VALID reason to use telnet. If you want to try and defend your use of telnet, I think you should spend the time looking for a new career in some riskier field because you apparently enjoy unnecessary risks. and that is all telnet is, an unnecessary risk, it has no place on a server, on a network, on a computer at all.
The phrase "more better" is acceptable English. suck it grammar Nazis
Maybe Sun would rather use Java instead.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
While I'm upgrading openssl or ssh. It's a pain getting lock out of a server and having to resort to the console. And, I never forget to disable it when I'm done.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Data General's proactive approach to security (Actually having people read through and test all their code) turned up a lot of problems that would otherwise have gone unnoticed and would probably have been exploited at a later date. Perhaps the other commercial UNIX vendors should consider that approach rather than relying on code that no one's looked at in 20 years to be secure.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Because it will only work if you have commented out the CONSOLE line in /etc/default/login which is uncommented by default.
Greetings.
This bug is for Solaris telnet only, correct? So MUDs and others which are using the protocal without telnetd are ok?
Um...
The linked description does not seem to have any references to other descriptions of this vulnerability, nor do they seem to be showing up in Google or in the normal security channels. Anyone have a link to some real information on this. If this is truly a zero-day situation who was exploited and what are the details of the exploit? Was this a manual exploit or a worm?
I have no reason to doubt the linked description, but it is pretty vague. Where's the beef?
In defense of having telnet initially enabled: It's the most basic way in if you're booting headless. Maybe you have to install the system quick and there's a problem with its video. So you boot it, telnet in from a local connection (not on a larger network), configure whatnot including your sshd, then shut down telnet and away you go.
If you don't have the sense to check for and shut down standard external services that you don't need, especially those that have weak security by nature, before putting a Solaris box on a larger network, you really shouldn't be running it anyway.
Having the default means in be ssh rather than telnet wouldn't be much safer, since there have been ssh exploits in the past too (and without further protection it's vulnerable to dictionary attacks). SSH is only reasonably safe if always kept updated (and with something in front of it to block those dictionary attacks). Would the sysadmin too negligent to turn off telnet be thorough at keeping SSH updated?
A default way into headless machines is too valuable to be without, but there's risk in all current methods.
"with their freedom lost all virtue lose" - Milton
I'm trying to think of some good reason someone might still have telnet, ftp, or some other unencrypted service running on Solaris. The only reasons I can think of are not good--legacy apps are NOT a good reason. If you can't do it over an SSH tunnel, then you shouldn't be doing it.
Maybe the Solaris patch team figured the same thing.
I might know what I'm talkin' about, but then again, this is Slashdot...
Could we stop making dumb mistakes with code? pretty please? Java is not really going to protect software from inept programmers.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
I just looked at the example exploit command shown in the linked article and I was unable to successfully execute this allegedly simple vulnerability. Either I'm missing a detail, which is likely since it's about an hour earlier than I ever wake up, or this doesn't affect all systems?
$ telnet -l"-froot" 10.0.0.121
Trying 10.0.0.121...
Connected to 10.0.0.121 (10.0.0.121).
Escape character is '^]'.
Not on system console
Connection closed by foreign host.
... I had a say in SUN: Sack the responsible for security.
No, not for cheap repay !
Not for the vulnerability as such. Not for the forgotten validity checks. Not for eventually shipping telnetd.
(Only Theo & friends can permit to not ship it.)
But:
- For enabling it by default; at install; in 2007
- Worse: for still not running it unprivileged; though that is possible
Not only does AIX not support SSH fully, but Microsoft doesn't either. Unless Redmond has seen the light now, you have to obtain a third party SSH client for your Windows clients, with the extra support overhead, licensing and lack of OS vendor support this entails. There's Hummingbird, F-Secure and Red Hat (cygwin commercial) that I know of -- otherwise you're forced to run unsupported software, which few large companies want to do.
Well, it doesn't work with root account on default Solaris 10 installation, but it works with bin, daemon, sys which exists by default as well. From there we got list of all the other users and pretty much access to most data there.
A similar fix would probably work now if anybody cared, but I imagine Sun will fix the hole properly quickly, probably more quickly than IBM fixed theirs back when, and not many people have telnet enabled on Internet-facing machines anymore anyways, but even so, it's amazing to see basically the same hole over ten years later. Linux has had similar problems too -- I believe the root source was Julianne/John F. Haugh's shadow suite back then, and I wonder if it's still the original source here.
Need I say more?
When you install Solaris 10, you are prompted for how you want remote access to the box initially configured. This is done in phase 1 of the install, running off the install media.
You can either turn on everything (telnetd, ftpd, etc, etc), or only have sshd running when the box comes up for the first time.
So saying that telnetd is on "by default" isn't exactly correct, unless your definition of "by default" is "explicitly enabled".
- Roach
is there's so many to choose from
http://dag.wieers.com/howto/ssh-http-tunneling/
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Change: Down 0.03 (0.46%)
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I honestly can't believe that Sun has let this slip through. They used to have a top-notch engineering crew during the 90's. Around 2000, they started getting rid of the U.S. employees and contractors, and offshoring a bunch of work.
I can only assume that this is a by-product of that. Probably a screwup by some H1-B. The bigger screwup is by management for not providing an infrastructure which allows proper oversight to prevent this sort of thing from happening.
Sun used to have the best code-review process in place. It was a real pain-in-the-butt. And it worked extremely well. So is that now gone?
I've heard that they ditched their previous Source Code Control Mechanism, which also used to be the best.
One can only conclude that Sun engineering is but a shadow of its former self. Oh yes, there are still top engineering (witness Bonwick). But it seems like the rest of the good ones have gone.
except ssh and whatever service your boxen is used for. Anything that requires a password and sends in cleartext should be disabled period.
I may not be a smart man, but I know what an inode is.
When I have first seen this article I thought, LD_PRELOAD bug is back -- old telnet allowed the remote user to pass environment variables including LD_*, so it will run login (as root, of course) with whatever library user had previously uploaded on the host, thus bypassing authentication.
This is... -froot indeed...
Contrary to the popular belief, there indeed is no God.
The ping of death made a brief comeback in Solaris 10. I find both vulnerabilities funny. Don't ask why.
There is no reason to ship telnetd it can't be trusted. You can provide a simple package or other installer for people who need it.
The Network is Everyone's Computer.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
I can't believe a large Unix software vendor with years of experience can get it wrong with some trivial, well understood protocol application designed over 35 years ago. Doesn't give me much confidence in Sun OSs I noticed the snippet about Solaris 10 being vulnerable to "ping of death" attacks before a "patch" came out. Mind you they have never been very good at network stacks. Ever. .. You can probably tell I use Linux ...
>/dev/null 2>&1
telnet is NOT enabled by default for Solaris 10 11/06 for a fresh install. You can choose to enable telnet and a whole lot of other services explicitly, but that is NOT the default. The default is to have telnet and other services disabled. For legacy Solaris systems upgraded to Solaris 10 11/06 you can disable telnet and several other services by typing at the command line: /usr/sbin/netservices limited
You can tell if you're running Solaris 10 11/06 by looking in file /etc/release
Telnet is inherently insecure. You're sending your password, unencrypted, across the network for anyone to steal. They're absolutely right that you shouldn't be using telnet, even if this version does have a dumb bug.
The only difference between this attack and the ordinary insecurity of telnet is that you don't have to sniff the password to launch this attack. Sniffing a telnet password is trivial if you can connect to the right network segment. There's no way to fix that aspect of telnet; the fact that it can be easily sniffed is an inherent weakness. It is for this reason that SSH exists.
These people know more than you're giving them credit for. Please, don't embarrass yourself by talking about things outside your expertise.
1) this attack does not work:
Oh, but it does. Try adm, bin, sys or any other user likely to be in the local /etc/passwrd file.
Going from sys or bin is nice and soft inside.
I hope you block ports 80 and 443, too, because otherwise it's still trivial to create an SSH session to the outside. All the enterprising student must do, is configure their (parents') home firewall, to forward outside port 80 to LAN port 22 on their PC. It's no more difficult really than just opening up port 22 bidirectionally. Then it's just "ssh -p 80 -D 8080 joestudent@mypc.dyndns.org"
If you want to filter, get a packet shaper and stop using ports; all you do by blocking ports is encourage people to abuse port 80 and other well known service ports, and make diagnostics more difficult. Unless the goal is just to give the semblance of censorship while making it as easily avoidable as possible, which is arguably laudable, but in that case why bother to block port 22 in the first place.
And before anyone makes the argument about blocking ports making it more difficult for 'casual' users, even a casual user is capable of reading Google, or asking a smarter user what to do. A few years ago, I witnessed what happened on a campus LAN when the admins inadvertently mis-configured the firewalls and blocked port 5190, which is used by AIM. Within twenty minutes, there were emails circulating which included screenshots and step-by-step instructions on how to change the AIM client to use port 80 instead. Hundreds, if not thousands of students, who didn't even know what port was, were able to follow one person's instructions and get around the problem. (It turns out it wasn't an intentional block, but just a mistake; however, the result was that half of the student machines ended up running AIM over port 80 forevermore.) It only takes one user with enough brains to read a manpage, and a desire to score some points with other students by showing them how to get around the block, to torpedo port-based blocking.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Who uses telnet (or unencrypted FTP, or rsh, or rlogin, or ....)?
Far more organizations than you'd care to think about.
Me, personally, my own (Debian thankyewvareemush) systems, or networks I've built up from scratch, or your typical LUG infrastructure? SSH all the way. It's free, simple, fast, secure, and a complete no-brainer.
At work unfortunately it's a different story. Long-time Solaris shop, now heterogenous (several Unices, Red Hat, SuSE, etc.), 5k+ CPU grid, we make extensive use of rsh, rlogin, and telnet. Checking on feasibility of cutting over to ssh for all remote access, I found that several platforms didn't even have the ssh server installed, though it's freely available from vendors. Our internal customer base gives massive push-back at the prospect of cutting over to ssh (though for the most part it should be transparent, we're even in a good situation for key management). There are similar concerns with external customers. My ballpark project estimate for doing a full cutover (thousands of systems, standardized images, over a decade of legacy code, thousands of users) would be 2 years, minimum, if we could get buy-in for the project.
Some backward ag business in Indiana? Nope. High-end, industry-leading software design shop in some silly valley somehwere. Lots of folks who know what we ought to be doing, but still can't sell the concept. And I've been in other shops (healthcare data, credit cards, insurance data, brokerage, others) where the story was similarly bad, though some may have improved since then.
Scary as it sounds, what I'm looking at is pretty much state of the art, as practiced.
...and people wonder why I have concerns with online electronic transactions (or anything which creates a personal indentifiable online record). AC indeed.....
Tiring seeing all of these people who assume 'telnet client' means 'telnet daemon'.
...from back in the day was:
$ telnet someschmuck.edu
Trying x.x.x.x
Welcome to someschmuck.edu CS department. Unauthorized logins are forbidden!
login: root
#
There are simple ways to secure this:
/etc/default/login.
I have CONSOLE=/dev/console set in
telnet -l"-froot" 10.24.47.9
Trying 10.24.47.9...
Connected to 10.24.47.9.
Escape character is '^]'.
Not on system console
Connection closed by foreign host.
And turn off telnet. Do: svcadm disable svc:/network/telnet:default as root.
And yes! It is STILL BETTER THAN P.O.S. Windoze!!!
--
Zombie Proc
Guns don't kill people, people with guns kill people.
Knives don't kill people. People with knives kill people.
Clubs don't kill people. People with clubs kill people.
Fists don't kill people. People with fists kill people.
Poisons don't kill people. People with poisons kill people.
Cars don't kill people. People with cars kill people.
Cans of gasoline don't kill people. People with cans of gasoline kill people.
If you try to disarm people, where do you stop?
Why do I object? Because guns (or "people with guns") also protect people (including the person with the gun). They do this in several ways, including by opposing unprovoked attacks. Apparently, in that case alone, they prevent more death and injury than they cause, by a factor of several.
The quoted formulation leads to the false belief that killing can be reduced by banning guns (when in fact such attempts apparently greatly increase it "in the wild").
Dropping it into a discussion of another subject, if the poster is not called on it, propagates the dangerous meme.
The extension I posted above is intended to
Yes, my posting is off-topic. So is the parent. If I had mod points at this time I'd have just modded the parent down as off-topic. So instead I'm putting my own karma on the line to oppose the propagation of a meme that has killed countless people and continues to do so to this day.
I request any moderator that choses to mod THIS post down to do the same to the parent. I also request that any moderator who finds the parent posting has less off-topic down-mods than this one to add another down-mod to just the parent. To do otherwise is to take sides in the political debate injected into a different topic's discussion by the parent poster.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
To nitpick your nitpick, Kerberized telnet supports session encryption.
First off, I assume the problem is with telnetd, not telnet.
Second, anyone that would still use telnetd on a unix system is not competent to be a unix admin in this day and age. (And no, Im not talking about using the telnet *client* to access hardware devices such as routers locally or to connect to SMTP for testing, etc; Im talking only about allowing inbound login from the public Internet via telnet to a unix system where security is evem remotely important)
I must Say Wow. Such a big security hole. I had a couple of spare Solaris 10 servers that I tried this out on and to my surprise wow. Its a good thing that I don't enable telnet on any machines. Thanks for the post though. Cheers, Thusjanthan Kubendranathan
For all your coding questions? http://letstalkcoding.com
For all your development needs! http://simtik.com
I started reading the posts and then realized that most of it degenerated into an anti-telnet flame war.
It is possible to use SSH in an insecure manner. It is possible that SSH has exploits as well.
I'm not advocating that telnet be reintroduced for standard and widespread deployment. Still, though, I would have thought that such a devoted group of computer enthusiasts would have a more level and sane point of view. Some people like to ride their bicycle or motorcycle without a helmet. Some people like to use telnet. So what?
Poor Solaris. I hope nobody was seriously injured by this exploit.
the NPG electrode was replaced with carbon blac
I work for a company that uses a Sun box for a critical application and clients connect using telnet. This vulnerbility could be the answer I was looking for to get the outsourced company that looks after it to switch to SSH which is easily fast enough for the requirements of our users.
For a upgrade from earlier releases or updates, telnet may be left enabled. You can disable it with svcadm disable telnet
Better yet, disable most network services (excludes SSH at least) in Solaris 10 11/06 with netservices limited
Temporary patches to fix telnet are available in zip files at: http://sunsolve.sun.com/pub-cgi/tpatch.pl (one for SPARC, one for X86 Solaris).
You need a (free) login to access these (my login was free)--security patches are free.
I've done the work getting interim security fixes available and starting the sun-alert. These thing should be available shortly.
For a commentary on getting this fixed, have a look at http://blogs.sun.com/tpenta/entry/the_in_telnetd_v ulnerability_exploit.
I'll update the blog entry with the links when it's up on sunsolve.
Tp.
SunAlert 102802 is available describing the issue and workaround.
Temporary patches for SPARC and X86 to fix telnet are available You need a (free) login to access this.
There are C-like languages that are safe: ADA, Cyclone, etc.
My comment was not flamebait. IT would be so much better if better languages were used.
And perhaps the notion of 'developers do the mistakes, not the languages' is true when the problem at hand is not complex, but as complexity rises, less and less developers can avoid mistakes.
Pity for those who do not understand this.
We do block port 80 and 443 - the only machine allowed out of the network is the proxy server.