There is a brand new Solaris 10/11 Telnet vulnerability that allows remote users to log into the remote server as any user without providing a password. This is similar to the old AIX/Linux RLogin vulnerability in 1994.
It’s simple enough. If you provide a “-fusername” option to the -l command while attempting to telnet into a vulnerable Solaris server, you will be logged in automatically as the supplied “username”. Therefore, you could log in as any known user. It has been reported that you cannot login remotely as root. However, this is incorrect. Depending on the configuration of the remote server, it is possible for the remote user to log in as root. If the remote server is configured to allow remote root access on the console (if CONSOLE is not set in /etc/default/login), then the remote user can log in as root. Example is below.
Trying X.X.X.X...It should not be that big of a deal as the Telnet service should not be used in most cases. I hope most people have moved to a more secure for a communication such as SSH. If you have not, disable the telnet service as there is no publicly available patch.
Connected to X.X.X.X.
Escape character is '^]'.
Last login: Mon Feb 12 10:38:17 from AHost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
You have new mail.
# id
uid=0(root) gid=0(root)
#
Comments (2)
hi there,
I have a sunos 5.10 box at my work. I real newbie in sunos so i really need your help … can you please tell me how to close telnet or if there is a patch for this vuln.
thx
Posted by johnm | February 14, 2007 3:39 AM
Posted on February 14, 2007 03:39
People are stupid, dude - of course there's folks out there still running telnet. Heck man, there's people out there still running windows 95...
Posted by Byron Sonn | February 15, 2007 1:42 PM
Posted on February 15, 2007 13:42