Easy Solaris 10 Telnet Exploit Found

If you’ve got Solaris with telnet running, you could be in for a big surprise. There is a fairly trivial Solaris telnet 0-day exploit in the wild [.pdf]. “This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn’t require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a ‘-fusername’ as an argument to the –l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability.”

43 Comments

  1. 2007-02-12 6:44 pm
  2. 2007-02-12 6:47 pm
    • 2007-02-12 7:09 pm
      • 2007-02-12 7:51 pm
        • 2007-02-12 8:41 pm
          • 2007-02-13 1:07 pm
      • 2007-02-13 9:31 am
        • 2007-02-13 1:05 pm
    • 2007-02-12 7:28 pm
  3. 2007-02-12 7:06 pm
  4. 2007-02-12 7:14 pm
    • 2007-02-12 7:29 pm
      • 2007-02-12 7:34 pm
  5. 2007-02-12 7:17 pm
    • 2007-02-12 7:46 pm
      • 2007-02-13 3:06 am
    • 2007-02-13 2:35 am
      • 2007-02-13 3:05 am
        • 2007-02-13 5:29 am
          • 2007-02-13 12:58 pm
  6. 2007-02-12 7:25 pm
  7. 2007-02-12 7:27 pm
  8. 2007-02-12 7:38 pm
  9. 2007-02-12 7:44 pm
  10. 2007-02-12 8:06 pm
    • 2007-02-12 8:14 pm
  11. 2007-02-12 8:13 pm
  12. 2007-02-12 8:19 pm
    • 2007-02-12 11:47 pm
    • 2007-02-12 11:53 pm
  13. 2007-02-12 9:35 pm
  14. 2007-02-12 9:54 pm
    • 2007-02-12 10:08 pm
      • 2007-02-12 11:45 pm
  15. 2007-02-12 10:42 pm
    • 2007-02-12 10:59 pm
      • 2007-02-12 11:17 pm
      • 2007-02-12 11:28 pm
        • 2007-02-12 11:59 pm
          • 2007-02-13 1:27 am
  16. 2007-02-13 12:14 am
  17. 2007-02-13 12:40 am
  18. 2007-02-13 4:09 pm