Code posted for Solaris remote root exploit

Code posted for Solaris remote root exploit

Summary: An anonymous hacker has posted instructions on how to launch attacks against a remote root exploit in the Solaris 10/11 telnet daemon.

TOPICS: Security
An anonymous hacker has posted instructions on how to launch attacks against a remote root exploit in the Solaris 10/11 telnet daemon.

The exploit, published at Full Disclosure and Milw0rm, exposes a zero-day hole affecting the free and open-source operating system. There are no patches available.

The SANS ISC (Internet Storm Center) is describing the issue as a "major zero day bug" that should be immediately mitigated by disabling telnet in Solaris 10/11.

SANS ISC handler Donald Smith explains:

The telnet daemon passes switches directly to the login process which looks for a switch that allows root to login to any account without a password. If your telnet daemon is running as root it allows unauthenticated remote logins.

David Maynor, chief technical officer at Errata Security, warns that the issue is trivial to exploit. "It doesn’t require any skill, any exploit knowledge, and can be scripted for mass attacks."

"This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability," Maynor added.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • People run telnet with access from the web?

    Inside the core network, telnet is sometimes required (telecom, many legacy apps still use telnet), however, anyone, anywhere, who provides for telnet access to any machine from the internet should probably be sent back to school to learn security.

    For any external box that still needs to connect via telnet, firewall rules, even inside the network behind corporate firewalls are still put in place so that a single machine or machines can access telnet. More often than not, the machine has to physically be on the same subnet as well.

    In any case, I seriously doubt that [B]This combined with a reliable local privilege escalation exploit would be devastating.[/B] simply because 12 machines that are misconfigured as having telnet running and access from the web doesn't constitute a big threat. Simply put, anyone running Solaris would invariably know not to enable or completely secure telnet.

    • You must be a Mac person as well

      Talk about living in denial.
      • Nope

        Been using a Solaris workstation since 1997 (HP-UX for 7 years before that), telecommute with Linux and our products all run on Solaris, migrating to Linux, but thanks for coming out. We require our customers to ask for an official security exception if they want us to install, let alone activate, telnet. Anyone would still uses telnet for communication on the internet needs to go back to school.

        • You are...

          It sounds like you have a great security policy and good execution on it. I have to tell you though; you are the exception, not the rule. As a person who runs a security consulting company now, has worked for security vendors in the past, and even managed a large universities security let me say that telnet still shows up all over the place. Its there for legacy reasons, people who just don?t want to learn to do things a new way (ssh), or even people not knowing its are there.

          As far as it being devastating, Solaris is not used for workstations much anymore. Where it is used that I know of are large database servers that often store sensitive information or things were rock solid stability is needed badly like SCADA systems. A person being able to get root level access on these systems is very bad from a data loss or business continuity point of view. If a botnet master were to find vulnerable machines it means there could be another command and control server for a botnet army. In either scenario their really isn?t a good outcome to an unauthorized individual getting access to these systems.
    • I agree - telnet itself is considered a security risk!

      Because it receives all passwords over the network in clear-text! You don't need to use an exploit to crack anyone who is still using telnet for remote access.
      • Unix admin 101

        Nobody with any sense runs telnet on anything, let alone internet facing.

        Doesn't everyone use SSH these days?
  • Slow news day then.....

    Wow a vulverability in a highly insecure protocol that only a moron would use for remote access. What next, an exploit for gopher!

    Guess what, if you leave your keys in the door every day you might get robbed.
    Mad Dan
  • enabled by default

    Makes one wonder why it's enabled by default.
    Ryan Naraine
    • Everything in Solaris is enabled by default

      Just run any kind of vulnerability scanner on an internal LAN and you'll see almost all the Solaris servers are full of holes. They haven't been "immunized" by all the fear of Worms on Windows so they're not hardened at all.
      • Last I checked, AIX is the same way

        This is IBM of all people.. They love business, but don't have a clue about security.
      • I think you meant

        They haven't been immunized by the number of worms attacking windows, not the fear, the actual attacks that causes systems to get protected. Fear will follow attacks, not vice versa.....
      • Ignorance is ... well just ignorance

        So you assume that because it's on by default out of the box that that is how it's deployed. Don't judge Solaris admins by the standards you have encountered in the Windows world. Fortunatley Unix people learned about security long before operating systems like Windows ever got networking. I tell you what, come back here in a couple of days and tell me of a single system compromised by this. Also let's see how quickly it is fixed and compare that with the response times of another OS vendor that I could name.
        Mad Dan