Worm Exploiting Solaris Telnetd Vulnerability

← Back to Stories (view on slashdot.org)

Worm Exploiting Solaris Telnetd Vulnerability

Posted by Zonk on Friday March 2, 2007 @04:26AM from the beware-of-rotten-fruit dept.

MichaelSmith writes "Several news sites are reporting that a worm is starting to exploit the Solaris Telnet 0-day vulnerability. By adding simple text to the Telnet command, the system will skip asking for a username and password. If the systems are installed out of the box, they automatically come Telnet-enabled. 'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday. "One hopes that there aren't that many publicly reachable Solaris systems running telnet," ISC staffer Joel Esler wrote.'"

28 of 164 comments (clear)

Min score:

Reason:

Sort:

Yep. by AltGrendel · 2007-03-02 04:31 · Score: 4, Insightful

That's one of the first things any good admin turns off.
Use SSH.
...oh, and don't forget to wear your raincoat.

--
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
1. Re:Yep. by fm6 · 2007-03-02 04:42 · Score: 4, Insightful
  
  Yeah, that was my response when I first heard of this bug/exploit. But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.
  And note that this worm is enabled by a bug in Solaris's implementation of telnet, not by telnet itself. A similar bug in ssh would have had the same effect.
2. Re:Yep. by Venik · 2007-03-02 05:08 · Score: 3, Funny
  
  I think the real question is: should Solaris telnetd have such an immense security hole?
3. Re:Yep. by ray-auch · 2007-03-02 05:20 · Score: 2, Interesting
  
  But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.
  
  This is Sun. Remember "+" in hosts.equiv ? They deliberately shipped with a known insecure default config in order to reduce support costs / complaints ("ease-of-use" was allegedly considered more important than security).
4. Re:Yep. by iamacat · 2007-03-02 05:24 · Score: 3, Insightful
  
  ssh is actually more complex than telnet and more likely to have exploitable bugs - there were a couple featured on slashdot in fact. ssh is for protection of the user, not the host system. It can make intrusion recovery more difficult, as you will not be able to see what the attacker is doing using network monitoring tools. Sun just got sloppy/unlucky with this one by unnecessarily mucking with login. Don't they teach in school to not add command line options/environment variables to a setuid program?
5. Re:Yep. by fm6 · 2007-03-02 06:37 · Score: 2, Insightful
  
  Putting ease of use ahead of security is hardly unique to Sun. Actually, this kind of thing isn't even an ease of use issue. Somebody gets a customer complaint, they see a fix, and they implement it without thinking through the security implications. Happens every day — usually several times.
6. Re:Yep. by DieNadel · 2007-03-02 07:54 · Score: 2, Funny
  
  No, they do not!
  
  Stop repeating that!
  
  They don't use telnet, and that plaintext you see when sniffing their network is your natural ability to crack encryption.
  
  How many times do I have to tell you that you're special?!
  
  Now, back to the task I've given you. The NSA won't be lending me your brain again if you spend all my alloted time on /.
  
  --
  Utinam logica falsa tuam philosophiam totam suffodiant!
7. Re:Yep. by Venik · 2007-03-02 09:54 · Score: 2, Insightful
  
  There is nothing inherently wrong with telnet. It has functional limitations, just as any other method of communication. Telnet can be safely used, when its limitations are accounted in the overall environment. Look at it this way. A company that makes locks accidentally produced a model that can be opened by any key. Oops. You are saying: Hey, everybody knows that locks can be picked, so why are you still using them? Do you see a difference between a design limitation and a production defect?
8. Re:Yep. by pclminion · 2007-03-02 10:30 · Score: 2, Insightful
  
  Yeah, that was my response when I first heard of this bug/exploit. But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.
  
  Why the hell not? Installation of Solaris is not exactly an "end user" type of operations. More likely it would be performed by an IT professional. Having telnet enabled initially makes it easy to setup the system from another location without worrying about making ssh or anything else work.
  
  The real stupidity is the admins who don't care enough to actually do their job and disable telnet. These are the people who should know better. Chances are, Sun has received more calls about why telnet is NOT enabled by default than they have for the opposite. The real lesson is, don't plug a box into an untrusted network with telnet running.
Oh no by wumpus188 · 2007-03-02 04:34 · Score: 4, Funny

These 4 users running telnet on solaris are gonna be pissed...
Mine is! by Doctor+Memory · 2007-03-02 04:37 · Score: 2, Insightful

But it's only reachable via ports 80 and 443. And I installed patch #120069-02 a couple of weeks ago. In fact, I already installed the -03 version of that patch. If you keep up with your security patches, it's really not a problem. Of course, this is easy for me to say, I have one workstation; I'm sure that for sites with dozens (or hundreds) of servers, it's more problematic. I also STR that patch 120069 used to require a reboot after installation, which makes it a bit more of a hassle to install (I usually save those for Fridays, when I can install them and then walk away while the box reboots).

--
Just junk food for thought...
I might have missed something.... by 8127972 · 2007-03-02 04:38 · Score: 3, Informative

.... but wasn't this just fixed?

http://blogs.sun.com/tpenta/entry/the_in_telnetd_v ulnerability_exploit

--
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
It's been a long day... by Odiumjunkie · 2007-03-02 04:40 · Score: 5, Insightful

So, just to be clear, this story, posted on March 2nd, is reporting on a worm which has started exploiting a zero day vulnerability that was covered by slashdot on February 12th?

Isn't twenty days long enough to disable a remotely exploitable and totally unnecessery, unsafe service that no admin in his right mind should have enabled on a box connected to the net anyway?
1. Re:It's been a long day... by Cheapy · 2007-03-02 04:43 · Score: 3, Funny
  
  Sysadmins have been search this entire time to find a Solaris box to fix.
  
  They are still searching.
  
  --
  Would you kindly mod me +1 insightful?
2. Re:It's been a long day... by dknj · 2007-03-02 05:31 · Score: 2, Interesting
  
  Judging by your UID, i will assume you are new here and new to IT in general. In The Real World(tm), patches are not applied as soon as they are released. You must test them, most managers are clueless to OS level patches and require the same testing process that, say, application testing goes through. I have seen patches take a week to be approved and put into production and I have worked with companies that have a 30 day delayed patch release schedule.
  
  With that said, no one should be running any insecure applications in production..... but people/organizations do. X servers running as root with all hosts allowed to connect. Passwords with abc123. This is entirely the fault of the admin, but sometimes cannot be altered without beauratic hoopla (all you can do in this case is CYA and make it visible to upper management).
  
  Lastly to quell all these "ZOMG SOLARIS IS TEH SUX0R" comments.. Solaris 10 only enables telnet when the admin specifically requests it during installation. Let me say it again, the admin has a choice to install telnet and enable it during installation. Plus who installs Solaris by hand when you have Flash Archives/Jumpstart to do the work for you?>
Should have happened... by alexhs · 2007-03-02 04:47 · Score: 4, Insightful

What about this argument that OSs other than Microsoft ones don't get malware developped for them because they don't have significant marketshare, again ?

--
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
telwhat? by glwtta · 2007-03-02 04:52 · Score: 2, Funny

Tell who?

What year is it?

--
sic transit gloria mundi
Other Telnet vulnerabilities by Flying+pig · 2007-03-02 04:52 · Score: 2, Insightful

Amazing but true - there are printers on some networks which are accessible over the public Internet and which have their telnet ports exposed. I'm obviously not spelling out the implications here, but some people need the proverbial rocket up the backside.

--
Pining for the fjords
1. Re:Other Telnet vulnerabilities by geoffspear · 2007-03-02 04:59 · Score: 3, Funny
  
  I've yet to come across a printer that was running Solaris, but I'll certainly keep that in mind if I ever do.
  
  --
  Don't blame me; I'm never given mod points.
Telnet for transparency? by Anonymous Coward · 2007-03-02 04:53 · Score: 4, Interesting

A while ago I found a strange comment here about why telnet was still used, even by security-knowledgeable IT department. The comment was saying this:

Large financial institutions in Europe use telnet, as use of encryption is restricted on their trusted networks, for reasons of transparency to the stock regulating authorities. (Googling for this phrase should get you the /. comment)

If this is true (and not the post of a random troll), can anyone shed some light on this? For it seems very strange... There are many other way to provide transparency to the financial authorities without having to compromise your network no!?
A new box won't have this problem... by kenh · 2007-03-02 04:58 · Score: 2, Insightful

This is not present in the Update 3 of Solaris, released 11/06 - that prompts the user to enable "network services" if they like, but warns that will expose the system to problems. One of those problems is the famously insecure telnetd service. If you say "No" telnetd is not installed/activated - and "No" is the default.

Existing boxes need to fix this, but a patch has been out for a while - are we dealing with the "short bus" hackers that it took this long to actually exploit? Why, oh why, doesn't Solaris warrant better hackers? ;^)

--
Ken
What proverb is that? by SanityInAnarchy · 2007-03-02 05:08 · Score: 2, Informative

proverbial rocket up the backside.

I'm pretty sure I never heard my mother say, "Son, if you ever expose a Telnet port to the Internet, I'll fire a rocket up your ass!"

--
Don't thank God, thank a doctor!
Re:Free software to the rescue? by ebvwfbw · 2007-03-02 05:15 · Score: 2, Informative

What about replacing telnetd with openbsd's?
It won't help because the vulnerability is in login (that telnetd calls) and not with telenetd. Since this is almost a month old and everyone should know by now, here it is -
telnet -l "-froot" [hostname]
Correction by Megane · 2007-03-02 05:26 · Score: 2, Interesting

Correction: that's one of the first things any good distro never turns on.
Linux and BSD had it for a long time before Solaris had it in the standard install. And you can't even enable telnetd on OS X since about 10.2 or so, unless you know how to edit the right config files in /etc.

--
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Re:Computer Security by SanityInAnarchy · 2007-03-02 05:27 · Score: 2, Interesting

It's such a joke that every one claims to be more secure then the next guy. But really they mean if you turn everything off and patch your system every day.

Which is the default, these days.

That's what a 0 day exploit means. You have to patch every day or you could be at risk.

No, a 0 day exploit means even if you patch every day, you're still at risk. But you know what? You're at risk every day simply by being alive. You could be hit by a meteor the next second! Oh noes!

Grow up and stop fearmongering. There's plenty of real security threats without saying "Everyone's insecure!"

Having a patch isn't even that great of a deal. The patch usually provides the problem and then it's off to the races.

I'm sorry, what? The patch provides the problem... I think I know what you mean, but this just makes you sound like an idiot. The patch fixes the problem. It may provide new problems, but it fixes the ones it's meant to fix.

How long to patch X number of systems versus how long to write an exploit. Even if you are 1% of the market, it's a losing race for the patchers.

How do you figure? Got any numbers to show me, or is this just blind speculation?

Here's a hint: If you've got an open source system, someone who finds an exploit is much more likely to send in a patch than to release said exploit into the wild. I know that's the case with me -- given the choice between patching Linux and exploiting Linux, I'll patch it. Given the choice between waiting six months for MS to patch something and exploiting it myself, I'll exploit it. And if you've got everyone's system updating every day, then it truly does become a losing race for someone to find the patch, develop an exploit, and begin using it before my system automatically patches itself.

Then there are all of the poor orphaned systems out there that don't have any one to maintain them. Who will patch these poor unfortunates?

Who relies on these poor unfortunates? Not anyone who cares about security. I mean, yeah, if you're running Win98, you're better off leaving the thing unplugged, but...

The only time a computer is secure these days is when the network cable is unplugged and/or the on/off switch is off.

I hate hearing this. Not only is it simply wrong (I can still pick the computer up and carry it off), but it's often used as some sort of excuse for computer security being as bad as it is.

I think Linux and the BSDs are pretty secure. I'm still annoyed at how frequently exploits are found.

But notice how you took two examples: A zero-day exploit, and old, unmaintained systems. Everything else you mentioned is basically saying the sky is falling because no one is secure, and therefore we can't say anyone is more secure than anyone else? How twisted is that?

Obviously, if I post my root password and IP address here, I AM less secure than everyone else. So, obviously, there are degrees of security.

And maybe everyone does become vulnerable at some point. It doesn't mean we're all doomed -- security is entirely based on economics. You're not 0wned unless it's worth it for you to be, and it's just not worth it if I'm running a custom-compiled Linux kernel and Gentoo system, all kinds of stuff tweaked by hand, and no particular reason they'd want me except CPU cycles and bandwidth. As long as there's dozens of Windows boxes they can 0wn automatically, they aren't going to get me.

Still, if you're so convinced the exploiters will always beat the patchers, go ahead and try. Crack my box, and leave me an email from myself explaining the situation. Until then, I'll reamin convinced you know nothing about security except that old "Nobody's secure" bullshit.

--
Don't thank God, thank a doctor!
Re:Why use telnet, anyway? by 99BottlesOfBeerInMyF · 2007-03-02 06:04 · Score: 2, Informative
So besides the old argument of "I have legacy systems / applications which rely on telnet and other outdated modes of communication", why would people use telnet? Laziness? Ignorance? What else am I missing here?
People who use telnet on a large scale that I know of include:
- European financial companies who are not allowed to use encryption while trading stock for regulatory reasons (on a private network).
- South and Central American ISPs who provide shell accounts as part of internet access and who have to support the lowest common denominator.
- Major network operators in Asia and China who run telnet on their control networks.
- New hardware appliances that are configured once from telnet or console and for whom SSH provides only added complexity since they would be transferring the keys at the same time as their only connection.
Telnet is not dead and in some cases is appropriate. Those cases are just fairly limited and are less likely to be a problem than someone who just stick a box on the net with telnet enabled because they are lazy/ignorant (which also happens).
Re:*Cough* Microsoft *Cough* by fm6 · 2007-03-02 06:58 · Score: 2, Funny

Since when was Microsoft known for usability?
SSHD DOES give you magical powers - real passwords by wsanders · 2007-03-02 08:19 · Score: 2, Insightful

- The Solaris telnet authenticates against their login PAM modules, which only uses the first 8 chars of the password for authentication. SSH bypasses /bin/login and passwords can be as long as you want. This is more longtime Solaris silliness that has not been fixed in Solaris 10.

At least they do come with a binch of stuff disabled by default, and with a fairly recent version of SSH.

I *DO* have numerous Solaris hosts happily floating in the effuent of an unfirewalled Internet connection, and they are probed continually for guessable passwords. Since my passwords are something like "2q3cb07rqwpexnbyslgfsdjhg" and I use only ssh for acccess I can sleep at night.

--
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"