Slashdot Mirror
Worm Exploiting Solaris Telnetd Vulnerability
MichaelSmith writes "Several news sites are reporting that a worm is starting to exploit the Solaris Telnet 0-day vulnerability. By adding simple text to the Telnet command, the system will skip asking for a username and password. If the systems are installed out of the box, they automatically come Telnet-enabled. 'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday. "One hopes that there aren't that many publicly reachable Solaris systems running telnet," ISC staffer Joel Esler wrote.'"
Use SSH.
...oh, and don't forget to wear your raincoat.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
These 4 users running telnet on solaris are gonna be pissed...
What about replacing telnetd with openbsd's?
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
But it's only reachable via ports 80 and 443. And I installed patch #120069-02 a couple of weeks ago. In fact, I already installed the -03 version of that patch. If you keep up with your security patches, it's really not a problem. Of course, this is easy for me to say, I have one workstation; I'm sure that for sites with dozens (or hundreds) of servers, it's more problematic. I also STR that patch 120069 used to require a reboot after installation, which makes it a bit more of a hassle to install (I usually save those for Fridays, when I can install them and then walk away while the box reboots).
Just junk food for thought...
.... but wasn't this just fixed?
v ulnerability_exploit
http://blogs.sun.com/tpenta/entry/the_in_telnetd_
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
So, just to be clear, this story, posted on March 2nd, is reporting on a worm which has started exploiting a zero day vulnerability that was covered by slashdot on February 12th?
Isn't twenty days long enough to disable a remotely exploitable and totally unnecessery, unsafe service that no admin in his right mind should have enabled on a box connected to the net anyway?
As a complete Unix fan boy I have to say this is one instance where we have to step down and put our hands up to say "Okay, we're sorry, we screwed up". Even XP managed to turn off its telnet service in Service Pack 1!
I never get used to these constant resurrections
What about this argument that OSs other than Microsoft ones don't get malware developped for them because they don't have significant marketshare, again ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Tell who?
What year is it?
sic transit gloria mundi
Amazing but true - there are printers on some networks which are accessible over the public Internet and which have their telnet ports exposed. I'm obviously not spelling out the implications here, but some people need the proverbial rocket up the backside.
Pining for the fjords
A while ago I found a strange comment here about why telnet was still used, even by security-knowledgeable IT department. The comment was saying this:
/. comment)
Large financial institutions in Europe use telnet, as use of encryption is restricted on their trusted networks, for reasons of transparency to the stock regulating authorities. (Googling for this phrase should get you the
If this is true (and not the post of a random troll), can anyone shed some light on this? For it seems very strange... There are many other way to provide transparency to the financial authorities without having to compromise your network no!?
First posted here http://erratasec.blogspot.com/2007/02/trivial-remo te-solaris-0day-disable.html
on February 11, 2007
This is not present in the Update 3 of Solaris, released 11/06 - that prompts the user to enable "network services" if they like, but warns that will expose the system to problems. One of those problems is the famously insecure telnetd service. If you say "No" telnetd is not installed/activated - and "No" is the default.
;^)
Existing boxes need to fix this, but a patch has been out for a while - are we dealing with the "short bus" hackers that it took this long to actually exploit? Why, oh why, doesn't Solaris warrant better hackers?
Ken
...once again proves to be an oxymoron.
It's such a joke that every one claims to be more secure then the next guy. But really they mean if you turn everything off and patch your system every day. That's what a 0 day exploit means. You have to patch every day or you could be at risk. Assuming there is a patch.
Having a patch isn't even that great of a deal. The patch usually provides the problem and then it's off to the races. How long to patch X number of systems versus how long to write an exploit. Even if you are 1% of the market, it's a losing race for the patchers.
Then there are all of the poor orphaned systems out there that don't have any one to maintain them. Who will patch these poor unfortunates? No one. The maintainers got laid off or found a better job and those systems will always be vulnerable.
The only time a computer is secure these days is when the network cable is unplugged and/or the on/off switch is off.
And don't even get me started on the Web of Lies...
...on writing the worlds most unsuccessful worm.
isn't even coming close to their trend on activity-by-ports page
The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
I'm pretty sure I never heard my mother say, "Son, if you ever expose a Telnet port to the Internet, I'll fire a rocket up your ass!"
Don't thank God, thank a doctor!
And is it going to take another 20 years to close all the holes in telnet?
At the university where I work, there were a number of people running Solaris boxes who weren't even aware that telnet was running. It's not that they weren't aware of the secure advantage of using SSH. But they just weren't paying close attention to what ports they had open.
So if you or someone you know runs Solaris, but uses SSH, make sure that telnet is 100% disabled for sure!
/* No Comment */
Correction: that's one of the first things any good distro never turns on.
Linux and BSD had it for a long time before Solaris had it in the standard install. And you can't even enable telnetd on OS X since about 10.2 or so, unless you know how to edit the right config files in /etc.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
I don't even run inetd!
Edith Keeler Must Die
Am I the only one having checked the date after reading this title? For a second, I believed I was back in the 90's...
Exactly. All these comments to the effect of "telnetd should be off by default" are missing the point. Yes, telnetd should be off by default, but that's just so that dumb users don't get used to typing in their passwords over a cleartext connection.
It makes me wonder about how much original thought there is on Slashdot, versus how many comments are just clueless people using technical terms in a syntactically-correct fashion without really understanding what they're saying.
If I went back into the Slashdot archives for around 1999, I wouldn't be surprised if I could find a ton of comments to the effect of "only stupid people write down their passwords".
http://outcampaign.org/
Given the age of the vulnerability, it's probably just the Morris worm still kicking about.
People who disagree with you are not automatically evil, greedy, or stupid.
The last time I used telnet was probably somewhere in the late 90's. Since then I've been using ssh, like most people. Besides being secure, ssh puts a lot of power and flexibility at my fingertips: port-forwarding for tunnelling, passwordless connectivity, secure file transfers just to name a few. So it could be that it's been so long that I don't see the point of using telnet anymore, let alone willingly leave it enabled on my systems.
So besides the old argument of "I have legacy systems / applications which rely on telnet and other outdated modes of communication", why would people use telnet? Laziness? Ignorance? What else am I missing here?
Have EVDO, will travel.
It's the first thing a good admin never turns ON ;-)
'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday.
Pardon my ignorance, but doesn't Solaris use TCP port 23 like every other version of telnet in the universe, unless it's specifically redirected to a different port?
#1 - By default, you can never log in with root remotely via any means (only via an su). You'll note that /etc/default/login by default restricts root logins to the local console.
#2 - Any admin worth his/her salt will disable anything not required before making a system publicly accessable. This is not a consumer OS so people should be expected to have a clue.
#3 - Less salty admins will find that new installs of Solaris 10 will have a checkbox that restricts remote access to ssh only unless they specifically open the whole system up.
t
I'd imagine virtually all Solaris deployments are done via a custom JumpStart configuration anyways, and the primary admin of that would have all the patches and lockdowns scripted in to the finish scripts. I do this for a lab environment and it works well.
man tunefs | grep fish
Need I say more?
What kind of mod is that?... ...Mom, is that you?
Don't thank God, thank a doctor!
I doubt it; after all - the individuals who use these systems are not grandmas who brely know how to move the mouse. These systems are designed for use by experienced folk; I think it's just a blunder.
The saddest poem
Huh? I thought that telnet was obsolete.
- The Solaris telnet authenticates against their login PAM modules, which only uses the first 8 chars of the password for authentication. SSH bypasses /bin/login and passwords can be as long as you want. This is more longtime Solaris silliness that has not been fixed in Solaris 10.
At least they do come with a binch of stuff disabled by default, and with a fairly recent version of SSH.
I *DO* have numerous Solaris hosts happily floating in the effuent of an unfirewalled Internet connection, and they are probed continually for guessable passwords. Since my passwords are something like "2q3cb07rqwpexnbyslgfsdjhg" and I use only ssh for acccess I can sleep at night.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Slashdot is littered with articles about "0-day" vulnerabilities or releases. Something is only "0-day" within a 24 hour period after the release/announcement has been made. the next 24 hour period is called "1-day". 24 hours after, it's "2-day", get it?
This phrase originated back in the BBS days when pirate boards advertised how new their pirated software was. 0-day was ultra-cool, 0-1 day was still good, and most carried 0-30 day software.
At this point, "Solaris Telnet 0-day vulnerability" should have been written:
a. Solaris Telnet vulnerability
b. Solaris Telnet 18-day vulnerability
c. Solaris Telnet once-upon-a-time-was-obviously-a-0-day vulnerability
just because someone labeled something as "0-day" doesn't mean that it keeps getting called "0-day" afterwards. The original label is simply there to signify that the release is new.
Jeremy Kister
http://jeremy.kister.net./
man crypt_bsdmd5
/etc/security/crypt.conf:
/etc/ssh/sshd_config and set PAMAuthenticationViaKBDInt to yes. That way you can manage your auth/session modules via pam.conf and manage your security policy in one place.
in
CRYPT_DEFAULT=__unix__ => CRYPT_DEFAULT=1
This makes Solaris PAM compatible with Linux/BSD-style MD5 shadow hashes distributed via file, NIS, LDAP, or whatever. It will process an arbitrarily long password.
And in that case, you should edit your
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I was wondering how to spin this so that it would possibly be anti-Microsoft. Thank you, Slashdot.
Help poke pirates in the eyepatch, arr.
According to this blog entry (see http://zetarace.blogspot.com/2007/03/dont-use-teln et.html), his honeypot network caught one of the worm attempt.
[**] [1:10136:3] TELNET Solaris login environment variable authentication bypass attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
03/01-13:44:29.556771 192.18.17.206:1134 -> 192.168.0.34:23
TCP TTL:46 TOS:0x0 ID:52835 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xED89493C Ack: 0x9D57147C Win: 0xC4E0 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/22512%5D
However, looking at the source ip attacking his honeypot machine.. seems it's coming directly
from Sun network range:
whois 192.18.17.206
OrgName: Sun Microsystems, Inc
OrgID: SUN
Address: 4150 Network Circle
City: Santa Clara
StateProv: CA
PostalCode: 95054
Country: US
NetRange: 192.18.0.0 - 192.18.194.255
CIDR: 192.18.0.0/17, 192.18.128.0/18, 192.18.192.0/23, 192.18.194.0/24
NetName: SUN1
NetHandle: NET-192-18-0-0-1
Parent: NET-192-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SUN.COM
NameServer: NS2.SUN.COM
NameServer: NS7.SUN.COM
NameServer: NS8.SUN.COM
Comment:
RegDate: 1985-09-09
Updated: 2003-10-10
RTechHandle: IS189-ARIN
RTechName: Sun Microsystems, Inc.
RTechPhone: +1-303-272-7000
RTechEmail: Netmaster@sun.com
OrgTechHandle: IS189-ARIN
OrgTechName: Sun Microsystems, Inc.
OrgTechPhone: +1-303-272-7000
OrgTechEmail: Netmaster@sun.com
It seems to me that Sun is spreading the Worm.^H^Hd.
I would have thought that by now nobody would be shipping systems with telnetd enabled by default.
Telnet is *not* enabled out-of-the-box.
And, as has been noted, the patch has been available for about 3 weeks now.
This is a terrible bug, which should never have got in to Solaris in the first place, but it did, and it was fixed.
OTOH, if you've
a) Chosen to run telnetd in the first place, and
b) Explicitly enabled remote root login for maximum damange
Then you can't really whine that "if a cracker can access the network, he can get root", because presumably "even if this bug did not exist, the same hacker could run snoop/tcpdump/ethereal/etc and simply *find the root password as YOU type it in*.
So: Yes, it's bad. No, it shouldn't have happened. Is it news? Oh, redundant question, this is slashdot. It's not news, and it doesn't matter (to anyone with the slightest care about security).
Author, Shell Scripting : Expert Re