Slashdot Mirror
Worm Exploiting Solaris Telnetd Vulnerability
MichaelSmith writes "Several news sites are reporting that a worm is starting to exploit the Solaris Telnet 0-day vulnerability. By adding simple text to the Telnet command, the system will skip asking for a username and password. If the systems are installed out of the box, they automatically come Telnet-enabled. 'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday. "One hopes that there aren't that many publicly reachable Solaris systems running telnet," ISC staffer Joel Esler wrote.'"
Use SSH.
...oh, and don't forget to wear your raincoat.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
I hate when I have worms where the Sun don't shine.
These 4 users running telnet on solaris are gonna be pissed...
What about replacing telnetd with openbsd's?
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
But it's only reachable via ports 80 and 443. And I installed patch #120069-02 a couple of weeks ago. In fact, I already installed the -03 version of that patch. If you keep up with your security patches, it's really not a problem. Of course, this is easy for me to say, I have one workstation; I'm sure that for sites with dozens (or hundreds) of servers, it's more problematic. I also STR that patch 120069 used to require a reboot after installation, which makes it a bit more of a hassle to install (I usually save those for Fridays, when I can install them and then walk away while the box reboots).
Just junk food for thought...
.... but wasn't this just fixed?
v ulnerability_exploit
http://blogs.sun.com/tpenta/entry/the_in_telnetd_
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
So, just to be clear, this story, posted on March 2nd, is reporting on a worm which has started exploiting a zero day vulnerability that was covered by slashdot on February 12th?
Isn't twenty days long enough to disable a remotely exploitable and totally unnecessery, unsafe service that no admin in his right mind should have enabled on a box connected to the net anyway?
As a complete Unix fan boy I have to say this is one instance where we have to step down and put our hands up to say "Okay, we're sorry, we screwed up". Even XP managed to turn off its telnet service in Service Pack 1!
I never get used to these constant resurrections
What about this argument that OSs other than Microsoft ones don't get malware developped for them because they don't have significant marketshare, again ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Tell who?
What year is it?
sic transit gloria mundi
Amazing but true - there are printers on some networks which are accessible over the public Internet and which have their telnet ports exposed. I'm obviously not spelling out the implications here, but some people need the proverbial rocket up the backside.
Pining for the fjords
A while ago I found a strange comment here about why telnet was still used, even by security-knowledgeable IT department. The comment was saying this:
/. comment)
Large financial institutions in Europe use telnet, as use of encryption is restricted on their trusted networks, for reasons of transparency to the stock regulating authorities. (Googling for this phrase should get you the
If this is true (and not the post of a random troll), can anyone shed some light on this? For it seems very strange... There are many other way to provide transparency to the financial authorities without having to compromise your network no!?
First posted here http://erratasec.blogspot.com/2007/02/trivial-remo te-solaris-0day-disable.html
on February 11, 2007
This is not present in the Update 3 of Solaris, released 11/06 - that prompts the user to enable "network services" if they like, but warns that will expose the system to problems. One of those problems is the famously insecure telnetd service. If you say "No" telnetd is not installed/activated - and "No" is the default.
;^)
Existing boxes need to fix this, but a patch has been out for a while - are we dealing with the "short bus" hackers that it took this long to actually exploit? Why, oh why, doesn't Solaris warrant better hackers?
Ken
...once again proves to be an oxymoron.
It's such a joke that every one claims to be more secure then the next guy. But really they mean if you turn everything off and patch your system every day. That's what a 0 day exploit means. You have to patch every day or you could be at risk. Assuming there is a patch.
Having a patch isn't even that great of a deal. The patch usually provides the problem and then it's off to the races. How long to patch X number of systems versus how long to write an exploit. Even if you are 1% of the market, it's a losing race for the patchers.
Then there are all of the poor orphaned systems out there that don't have any one to maintain them. Who will patch these poor unfortunates? No one. The maintainers got laid off or found a better job and those systems will always be vulnerable.
The only time a computer is secure these days is when the network cable is unplugged and/or the on/off switch is off.
And don't even get me started on the Web of Lies...
...on writing the worlds most unsuccessful worm.
isn't even coming close to their trend on activity-by-ports page
The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
Easy solution...Switch to a Vista/2003 Server platform. Duck!
I'm pretty sure I never heard my mother say, "Son, if you ever expose a Telnet port to the Internet, I'll fire a rocket up your ass!"
Don't thank God, thank a doctor!
And is it going to take another 20 years to close all the holes in telnet?
it seems some symantec employee is wasting his time,
n se/writeup.jsp?docid=2007-022810-3637-99&tabid=2
http://www.symantec.com/enterprise/security_respo
is like asking a retard to tie his shoelaces and then pushing him when he bends over.
At the university where I work, there were a number of people running Solaris boxes who weren't even aware that telnet was running. It's not that they weren't aware of the secure advantage of using SSH. But they just weren't paying close attention to what ports they had open.
So if you or someone you know runs Solaris, but uses SSH, make sure that telnet is 100% disabled for sure!
/* No Comment */
Correction: that's one of the first things any good distro never turns on.
Linux and BSD had it for a long time before Solaris had it in the standard install. And you can't even enable telnetd on OS X since about 10.2 or so, unless you know how to edit the right config files in /etc.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
I don't even run inetd!
Edith Keeler Must Die
Someone should modify this worm to login as root, patch telnetd to fix the vulnerability, spread itself for a while, and then die. I've always wanted to see this done, and this seems like a good opportunity (limited number of configurations/binaries, limited number of machines, etc.). To respond to some anticipated points:
1) No, it's almost certainly not legal.
2) Yes, the ethics of it are debatable.
3) I don't know if there's actually a patch available yet.
4) Yes, this still results in a compromised machine that any diligent sysadmin (running telnet?!) will have to spend a lot of time/effort cleaning.
It's more of an interesting idea that I'd just enjoy seeing. Anyone know of any cases of this happening? "Oh no! You've got the anti-virus virus."
-TUAC
Am I the only one having checked the date after reading this title? For a second, I believed I was back in the 90's...
Exactly. All these comments to the effect of "telnetd should be off by default" are missing the point. Yes, telnetd should be off by default, but that's just so that dumb users don't get used to typing in their passwords over a cleartext connection.
It makes me wonder about how much original thought there is on Slashdot, versus how many comments are just clueless people using technical terms in a syntactically-correct fashion without really understanding what they're saying.
If I went back into the Slashdot archives for around 1999, I wouldn't be surprised if I could find a ton of comments to the effect of "only stupid people write down their passwords".
http://outcampaign.org/
Given the age of the vulnerability, it's probably just the Morris worm still kicking about.
People who disagree with you are not automatically evil, greedy, or stupid.
The last time I used telnet was probably somewhere in the late 90's. Since then I've been using ssh, like most people. Besides being secure, ssh puts a lot of power and flexibility at my fingertips: port-forwarding for tunnelling, passwordless connectivity, secure file transfers just to name a few. So it could be that it's been so long that I don't see the point of using telnet anymore, let alone willingly leave it enabled on my systems.
So besides the old argument of "I have legacy systems / applications which rely on telnet and other outdated modes of communication", why would people use telnet? Laziness? Ignorance? What else am I missing here?
Have EVDO, will travel.
It's the first thing a good admin never turns ON ;-)
Fuck me gently. First the Vista ativation bullshit, now this lame crap. Still, judging by the number of posts, it's time I tried Myspace...
'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday.
Pardon my ignorance, but doesn't Solaris use TCP port 23 like every other version of telnet in the universe, unless it's specifically redirected to a different port?
#1 - By default, you can never log in with root remotely via any means (only via an su). You'll note that /etc/default/login by default restricts root logins to the local console.
#2 - Any admin worth his/her salt will disable anything not required before making a system publicly accessable. This is not a consumer OS so people should be expected to have a clue.
#3 - Less salty admins will find that new installs of Solaris 10 will have a checkbox that restricts remote access to ssh only unless they specifically open the whole system up.
t
I'd imagine virtually all Solaris deployments are done via a custom JumpStart configuration anyways, and the primary admin of that would have all the patches and lockdowns scripted in to the finish scripts. I do this for a lab environment and it works well.
man tunefs | grep fish
Need I say more?
What kind of mod is that?... ...Mom, is that you?
Don't thank God, thank a doctor!
WHY???
I doubt it; after all - the individuals who use these systems are not grandmas who brely know how to move the mouse. These systems are designed for use by experienced folk; I think it's just a blunder.
The saddest poem
We have had a parade of consultants in to mess with out ancient bloated Remedy shiteware, which for God knows what reason is still running on Solaris, and maybe half them have never heard of SSH or SCP. It is to laugh or to cry.
Huh? I thought that telnet was obsolete.
- The Solaris telnet authenticates against their login PAM modules, which only uses the first 8 chars of the password for authentication. SSH bypasses /bin/login and passwords can be as long as you want. This is more longtime Solaris silliness that has not been fixed in Solaris 10.
At least they do come with a binch of stuff disabled by default, and with a fairly recent version of SSH.
I *DO* have numerous Solaris hosts happily floating in the effuent of an unfirewalled Internet connection, and they are probed continually for guessable passwords. Since my passwords are something like "2q3cb07rqwpexnbyslgfsdjhg" and I use only ssh for acccess I can sleep at night.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Slashdot is littered with articles about "0-day" vulnerabilities or releases. Something is only "0-day" within a 24 hour period after the release/announcement has been made. the next 24 hour period is called "1-day". 24 hours after, it's "2-day", get it?
This phrase originated back in the BBS days when pirate boards advertised how new their pirated software was. 0-day was ultra-cool, 0-1 day was still good, and most carried 0-30 day software.
At this point, "Solaris Telnet 0-day vulnerability" should have been written:
a. Solaris Telnet vulnerability
b. Solaris Telnet 18-day vulnerability
c. Solaris Telnet once-upon-a-time-was-obviously-a-0-day vulnerability
just because someone labeled something as "0-day" doesn't mean that it keeps getting called "0-day" afterwards. The original label is simply there to signify that the release is new.
Jeremy Kister
http://jeremy.kister.net./
It's probably got stuck inside a wall when the place was remodeled. Have they tried checking in there?
man crypt_bsdmd5
/etc/security/crypt.conf:
/etc/ssh/sshd_config and set PAMAuthenticationViaKBDInt to yes. That way you can manage your auth/session modules via pam.conf and manage your security policy in one place.
in
CRYPT_DEFAULT=__unix__ => CRYPT_DEFAULT=1
This makes Solaris PAM compatible with Linux/BSD-style MD5 shadow hashes distributed via file, NIS, LDAP, or whatever. It will process an arbitrarily long password.
And in that case, you should edit your
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I was wondering how to spin this so that it would possibly be anti-Microsoft. Thank you, Slashdot.
Help poke pirates in the eyepatch, arr.
According to this blog entry (see http://zetarace.blogspot.com/2007/03/dont-use-teln et.html), his honeypot network caught one of the worm attempt.
[**] [1:10136:3] TELNET Solaris login environment variable authentication bypass attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
03/01-13:44:29.556771 192.18.17.206:1134 -> 192.168.0.34:23
TCP TTL:46 TOS:0x0 ID:52835 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xED89493C Ack: 0x9D57147C Win: 0xC4E0 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/22512%5D
However, looking at the source ip attacking his honeypot machine.. seems it's coming directly
from Sun network range:
whois 192.18.17.206
OrgName: Sun Microsystems, Inc
OrgID: SUN
Address: 4150 Network Circle
City: Santa Clara
StateProv: CA
PostalCode: 95054
Country: US
NetRange: 192.18.0.0 - 192.18.194.255
CIDR: 192.18.0.0/17, 192.18.128.0/18, 192.18.192.0/23, 192.18.194.0/24
NetName: SUN1
NetHandle: NET-192-18-0-0-1
Parent: NET-192-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SUN.COM
NameServer: NS2.SUN.COM
NameServer: NS7.SUN.COM
NameServer: NS8.SUN.COM
Comment:
RegDate: 1985-09-09
Updated: 2003-10-10
RTechHandle: IS189-ARIN
RTechName: Sun Microsystems, Inc.
RTechPhone: +1-303-272-7000
RTechEmail: Netmaster@sun.com
OrgTechHandle: IS189-ARIN
OrgTechName: Sun Microsystems, Inc.
OrgTechPhone: +1-303-272-7000
OrgTechEmail: Netmaster@sun.com
It seems to me that Sun is spreading the Worm.^H^Hd.
There are reasons to run telnet on boxes ... if you don't know them you've never operated a system worth a shit.
SSH yabber yabber... um encryption is going to stop someone from sniffing your password and session, but it's going to stop fuck all if there is some exploit in the SSH daemon. Telnet, SSH, anything that is interfacing with a network is just as "insecure" and open to remote attack as is the operating system's network stack.
The amount of people that tell people they must use XZY firewall, turn on this, turn off that and then have an insecure version of Apache running their BOFH blog.
I would have thought that by now nobody would be shipping systems with telnetd enabled by default.
Telnet is *not* enabled out-of-the-box.
And, as has been noted, the patch has been available for about 3 weeks now.
This is a terrible bug, which should never have got in to Solaris in the first place, but it did, and it was fixed.
OTOH, if you've
a) Chosen to run telnetd in the first place, and
b) Explicitly enabled remote root login for maximum damange
Then you can't really whine that "if a cracker can access the network, he can get root", because presumably "even if this bug did not exist, the same hacker could run snoop/tcpdump/ethereal/etc and simply *find the root password as YOU type it in*.
So: Yes, it's bad. No, it shouldn't have happened. Is it news? Oh, redundant question, this is slashdot. It's not news, and it doesn't matter (to anyone with the slightest care about security).
Author, Shell Scripting : Expert Re
I've run three *nix boxes and any number of M$ boxes. All three *nix boxes were hacked, and yes, I'm sure it was because I "wasn't a good admin" and "didn't do the first thing I should have." Two were Red Hat and one was Solaris. For the Solaris box, I hired a professional *nix herder with years of experience on Solaris, a guy who worked for a major stock broker, and the box STILL got hacked... maybe because of this issue.
At the same time, I was running Personal Web Server on my '98 box at the office without a firewall of any kind. No problems, no hacking, no worries. It just worked. Yes, yes... I'm sure I was just lucky. My servers today are all M$, all behind professional firewalls, and all run like clockwork.
Despite how it sounds, I'm not trying to slam *nix here or send additional $$$ to M$. I'm just trying to point out that until *nix gets work done out of the box with defaults that assume the operator is a bonehead, M$ will still have a place in the world. I'm sure if you all tried, you would be able to do a better job than they do of making a secure out of the box FOSS OS.
Keep trying guys.
Sun employee acknowledges somehow that info ..
http://blogs.sun.com/chrisg/date/20070303
''
That there was a worm that successfully exploited the telnet vulnerability in Solaris 10 running around the Internet and more specifically within Sun last week is not news.
''