On Tue, 13 Feb 2007, Oliver Friedrichs wrote: > > Gadi, > > It looks like I was confused, this actually affected AIX and Linux in > 1994: > > http://www.securityfocus.com/bid/458/info > http://www.cert.org/advisories/CA-1994-09.html Same same but with rlogin, as someone mentioned on DSHIELD. Gadi. > > Oliver > > -----Original Message----- > From: Gadi Evron [mailto:ge@xxxxxxxxxxxx] > Sent: Tuesday, February 13, 2007 1:46 AM > To: Oliver Friedrichs > Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx > Subject: RE: Solaris telnet vulnberability - how many on your network? > > On Mon, 12 Feb 2007, Oliver Friedrichs wrote: > > > > Am I missing something? This vulnerability is close to 10 years old. > > It was in one of the first versions of Solaris after Sun moved off of > > the SunOS BSD platform and over to SysV. It has specifically to do > > with how arguments are processed via getopt() if I recall correctly. > > Hey Oliver! :) > > Well than, I guess it just became new again. And to be honest, I have to > agree with a previous poster and suspect (only suspect) it could somehow > be a backdoor rather than a bug. > > The reason why this vulnerability is so critical is the number of > networks and organizations which rely on Solaris for critical production > servers, as well as use telnet for internal communication on their LAN > (now how smart is that? I'd rather use telnet on the Internet than on a > local LAN). > > Further, there are quite a few third party appliances (some > infrastructure back-end) that can not easily be patched running on > Solaris (forget fuzzing or VA, people never even NMAP appliances they > buy). > > I am unsure of how long we will see this in to-do items of corporate > security teams around the world, but I am sure Sun's /8 is getting a lot > of action recently. > > > > > Oliver > > Gadi. > > > > > -----Original Message----- > > From: Gadi Evron [mailto:ge@xxxxxxxxxxxx] > > Sent: Sunday, February 11, 2007 10:01 PM > > To: bugtraq@xxxxxxxxxxxxxxxxx > > Cc: full-disclosure@xxxxxxxxxxxxxxxxx > > Subject: Solaris telnet vulnberability - how many on your network? > > > > Johannes Ullrich from the SANS ISC sent this to me and then I saw it > > on the DSHIELD list: > > > > ---- > > If you run Solaris, please check if you got telnet enabled NOW. If > > > you > > can, block port 23 at your perimeter. There is a fairly trivial > > Solaris telnet 0-day. > > > > telnet -l "-froot" [hostname] > > > > will give you root on many Solaris systems with default installs > > We are still testing. Please use our contact form at > > https://isc.sans.org/contact.html > > if you have any details about the use of this exploit. > > ---- > > > > You mean they still use telnet?! > > > > Update from HD Moore: > > "but this bug isnt -froot, its -fanythingbutroot =P" > > > > On the exploits@ mailing list and on DSHIELD this vulnerability was > > verified as real. > > > > If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it > > > a strong suggestion. > > > > Anyone else running Solaris? > > > > Gadi. > > > > > >
