[geeks] Solaris 10 Remote-Root Exploit
Doug McLaren
dougmc at frenzied.us
Mon Feb 12 15:07:35 CST 2007
On Mon, Feb 12, 2007 at 12:08:46PM -0600, Lionel Peterson wrote:
| 1) Were you logged in as "root" or "non-superuser user"?
In my cases, both. Worked every time.
| 2) What is OS of Telent client you are using (Linux, Solaris, etc.)?
Linux and Solaris. Worked in both cases.
I doubt the client version matters much at all, though it wouldn't
surprise me if Windows telnet were broke enough to not be able to send
the login name properly. (But I have not tried it.)
| 3) Is there any logical connection between the two machines (as I
| understand it "-f" sends credentials to telnetd, I want to make sure
| there is no connection between the two.
No.
| I am curious if you have two machines with identical root passwords
| when this is successful...
Not in my case.
Actually, telnet doesn't send any credentials at all beyond a login
name (at least the normal ones -- no idea about kerberos or anything
like that.) The problem is that a login name of `-froot' is passed,
which is fed directly to /bin/login and /bin/login blindly trusts it
because the euid is 0 (because it's being called by in.telnetd.)
(At least that's the case if things work exactly like they did with
in.rlogind 12 years ago, which seems very likely.)
--
Doug McLaren, dougmc at frenzied.us Body by Nautilus; Brain by Sega.
More information about the geeks
mailing list