Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
From: Adrian Sanabria (adrian.sanabriagmail.com)
Date: Tue Feb 13 2007 - 18:18:50 CST
If someone was going to plant a backdoor in Solaris, don't you think they
would have chosen a service that most people would leave turned on? The only
way I can see someone choosing telnet for a backdoor is if it happened a
looooong time ago. So, two things I'm curious about, but too busy (lazy) at
the moment to look up:
1. Didn't Sun open up the source to Solaris? I wonder if it looks more like
a bug or a backdoor in the source.
2. Did this get reintroduced to Solaris, or has it been there ever since the
legacy code was pulled over from SysV?
P.S. - Apologies if this was answered somewhere, and I missed it.
On 2/13/07, Gadi Evron <gelinuxbox.org> wrote:
> On Mon, 12 Feb 2007, Oliver Friedrichs wrote:
> > Am I missing something? This vulnerability is close to 10 years old.
> > It was in one of the first versions of Solaris after Sun moved off of
> > the SunOS BSD platform and over to SysV. It has specifically to do with
> > how arguments are processed via getopt() if I recall correctly.
> Hey Oliver! :)
> Well than, I guess it just became new again. And to be honest, I have to
> agree with a previous poster and suspect (only suspect) it could somehow
> be a backdoor rather than a bug.
> The reason why this vulnerability is so critical is the number of networks
> and organizations which rely on Solaris for critical production servers,
> as well as use telnet for internal communication on their LAN (now how
> smart is that? I'd rather use telnet on the Internet than on a local LAN).
> Further, there are quite a few third party appliances (some
> infrastructure back-end) that can not easily be patched running on
> Solaris (forget fuzzing or VA, people never even NMAP appliances they
> I am unsure of how long we will see this in to-do items of corporate
> security teams around the world, but I am sure Sun's /8 is getting a lot
> of action recently.
> > Oliver
> > -----Original Message-----
> > From: Gadi Evron [mailto:gelinuxbox.org]
> > Sent: Sunday, February 11, 2007 10:01 PM
> > To: bugtraqsecurityfocus.com
> > Cc: full-disclosurelists.grok.org.uk
> > Subject: Solaris telnet vulnberability - how many on your network?
> > Johannes Ullrich from the SANS ISC sent this to me and then I saw it on
> > the DSHIELD list:
> > ----
> > If you run Solaris, please check if you got telnet enabled NOW. If
> > you
> > can, block port 23 at your perimeter. There is a fairly trivial
> > Solaris telnet 0-day.
> > telnet -l "-froot" [hostname]
> > will give you root on many Solaris systems with default installs
> > We are still testing. Please use our contact form at
> > https://isc.sans.org/contact.html
> > if you have any details about the use of this exploit.
> > ----
> > You mean they still use telnet?!
> > Update from HD Moore:
> > "but this bug isnt -froot, its -fanythingbutroot =P"
> > On the exploits mailing list and on DSHIELD this vulnerability was
> > verified as real.
> > If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a
> > strong suggestion.
> > Anyone else running Solaris?
> > Gadi.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/