Sun Solaris Telnet Remote Authentication Bypass Vulnerability
BID:22512
Info
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
| Bugtraq ID: | 22512 |
| Class: | Design Error |
| CVE: |
CVE-2007-0882 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 12 2007 12:00AM |
| Updated: | Nov 05 2007 11:55PM |
| Credit: | kcope <[email protected]> discovered this vulnerability. |
| Vulnerable: |
Sun Solaris 10.0_x86 Sun Solaris 10.0 Nortel Networks Self-Service - Peri Application Rel 3.0 Nortel Networks Self-Service - CCSS7 0 Nortel Networks Media Processing Svr 500 Rel 3.0 Nortel Networks Media Processing Svr 1000 Rel 3.0 Avaya Interactive Response 2.0 |
| Not Vulnerable: | |
Discussion
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
Sun Solaris 10 is prone to a vulnerability that allows remote attackers to bypass authentication.
Successfully exploiting this issue allows remote attackers to gain remote access to vulnerable computers. If the targeted computer is configured to allow non-console logins for superusers, then remote superuser access is possible.
Update: By exploiting the same underlying flaw, attackers may pass other arguments to the 'login' program, potentially allowing them to bypass other security restrictions. Attackers may potentially bypass the console-only requirement for superuser logins.
Sun Solaris 10 is prone to a vulnerability that allows remote attackers to bypass authentication.
Successfully exploiting this issue allows remote attackers to gain remote access to vulnerable computers. If the targeted computer is configured to allow non-console logins for superusers, then remote superuser access is possible.
Update: By exploiting the same underlying flaw, attackers may pass other arguments to the 'login' program, potentially allowing them to bypass other security restrictions. Attackers may potentially bypass the console-only requirement for superuser logins.
Exploit / POC
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
Attackers may exploit this issue with a telnet client.
The following command demonstrates this issue:
telnet -l-f<user> <hostname>
Or, attackers may execute the following command to bypass the console-only superuser authentication:
telnet -l-d/dev/console <hostname>
Note that in this case, just the requirement for console-only superuser logins will be bypassed, not the remote authentication.
Reports indicate that this issue is being exploited in the wild by a malicious worm.
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
Attackers may exploit this issue with a telnet client.
The following command demonstrates this issue:
telnet -l-f<user> <hostname>
Or, attackers may execute the following command to bypass the console-only superuser authentication:
telnet -l-d/dev/console <hostname>
Note that in this case, just the requirement for console-only superuser logins will be bypassed, not the remote authentication.
Reports indicate that this issue is being exploited in the wild by a malicious worm.
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
Solution / Fix
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
Solution:
Sun has released an alert along with patches to address this issue. Please see the references for more information.
Solution:
Sun has released an alert along with patches to address this issue. Please see the references for more information.
References
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
References:
References:
- Another good reason to stop using telnet (SANS)
- Solaris Homepage (Sun Microsystems)
- solaris-telnet-0-day (Riosec)
- Solaris telnet vuln solutions digest and network risks (Gadi Evron
- ASA-2007-062 - Security Vulnerability in the in.telnetd(1M) Daemon May Allow Una (Avaya)
- Nortel response to Solaris Security Vulnerability in the in.telnetd(1M) Daemon (Nortel)
- Sun Alert ID: 102802 - Security Vulnerability in the in.telnetd(1M) Daemon May A (Sun)
- Vulnerability Note VU#881872 - Sun Solaris telnet authentication bypass vulnerab (US-CERT)