Re: Solaris telnet vulnberability - how many on your network?
Nate Eldredge wrote: I have now set up a virtual Solaris 8 box to test this with root access, and it appears you are correct. When run as root, login -f root presents a login prompt, just like login without arguments. So it is not supported in the sense of having the Solaris 10 documented behavior. I tested this as well on a Solaris 8 box. I did not get the behavior you described. # uname -a SunOS skyhawk 5.8 Generic_108528-29 sun4u sparc SUNW,Sun-Blade-100 # /bin/login -froot Not on system console As you can see, it did not prompt me for a password. Obviously the -f option is recognized and its semantics are implemented. However telnet could not be used to exploit it in the same was a Solaris 10 was exploited. Using strings to look at the getopt option list reveals that an undocumented -a option also exists. I don't know what it does, either. More material for the backdoor conspiracy theorists, I suppose. Fortunately there doesn't appear to be a -nsakey option. As far as the -a option, it does not do anything. The OpenSolaris source says: case 'a': break; I'm guessing that this behavior is left over from the older versions of Solaris. -- Edsel Adap [EMAIL PROTECTED] http://www.adap.org/~edsel/ LINUX - the choice of the GNU generation
Re: Solaris telnet vulnberability - how many on your network?
Scott, On Sat, 17 Feb 2007, Cromar Scott wrote: I have to wonder if the old bug complaints are coming in reference to one of the following: http://www.securityfocus.com/bid/3064/info http://www.securityfocus.com/bid/5531/info I know that my initial reaction was haven't I seen this before? but the above two are what I found in my notes when I looked back. (Note that the second of the two is reported to actually reference a problem with login and not in.telnetd.) The second vulnerability you mention was indeed affecting System V derived login. Furthermore, it was exploitable through a common telnet client (via the TTYPROMPT trick [1], which somehow reminds me of the recent Solaris 10 exploit), locally, or through other attack vectors, such as rlogin [2] and even X.25 pad daemon, without the need to specify TTYPROMPT at all. [1] http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00020.html [2] http://www.0xdeadbeef.info/exploits/raptor_rlogin.c Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
RE: Solaris telnet vulnberability - how many on your network?
From: Nate Eldredge [mailto:[EMAIL PROTECTED] Sent: Friday, 16 February, 2007 21:42 On Sat, 17 Feb 2007, Darren Reed wrote: Solaris's /bin/login has never supported the -f command line option until Solaris 10 (RTFM) so this exploit was just plain not possible. That is not correct. On a Solaris 8 box the -f option is accepted without error. Which does not show that it's supported. /bin/true accepts the -f option, too. I don't have root so I can't verify that it does the right thing, You're using a Solaris 8 system with no entry in /etc/passwd for UID 0? Extraordinary. but at least as a normal user login -f asdfasdf does nothing I haven't looked at the Solaris 10 login sources, but IIRC on AIX, this bug required that the username be appended to the -f (-froot, not -f root). while login without arguments presents a prompt. And what does login -q asdfasdf do? What about login -z asdfasdf? (I know what they do on a couple of older Solaris boxes I happen to have, but I'll leave this as an exercise for the reader.) -- Michael Wojcik Principal Software Systems Developer, Micro Focus
Re: Re: Re: Solaris telnet vulnberability - how many on your network?
I believe in the early 90's there was a serious problem discovered in intel chips that allowed certain standard code to be run to overflow programs arbitrarily and gain access to operating systems in an administrative capacity. Also I remember the redhat (back in the day) repository being hacked and backdoored versions of programs being put into it. I believe this also happened to an early version of debian or fedora at some point also. But I think you miss the point. When they aren't preparing for security problems, the job of most security professionals is to observe and react to these kinds of security problems. The observer will exploit anything you are lax on. Discarding a security concern because it doesn't seem important or of value to you is kinda stupid, you should probably go find some other kind of work. Everything is important, everything should be examined when and if possible. Thus the thread certainly has merit. It really makes me giddy when I see posts by trolls saying that security through obscurity isn't really important, or that examining a possible act of malice WITHIN one of the companies that is giving you software is not really an important factor. Even if it isn't an act of malice BY THEM, perhaps they have been hacked at the very top levels of their software storage or their source code itself. Perhaps something has gone wrong (what? no, couldn't be?). Dismissing it is as stupid as dismissing the possibility that running some unnamed, unknown executable on your windows box isn't a problem. Scarey stuff. The job is to be paranoid. Not to be dismissive of those who ARE. TheFinn.
Re: Re: Solaris telnet vulnberability - how many on your network?
On Fri, 16 Feb 2007, jf wrote: There have also been too many times in the past when they have been proven correct to ignore the possibility any longer. Hi, in what instances has the conjecture that a bug was a deliberate backdoor been proven correct? If Peter is crying WOLF all the time. The one time he sees one, no one will notice it. That is how humans work. If wa start crying 'backdoor' all the time who will notice it anymore if there truly is one. But untill reasonable arguments based on code audits or other reliable sources are presented we must assume that other human quality prevailed: Humans make errors. Even very silly ones at times. Hugo. -- [EMAIL PROTECTED] http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons.
Re: Solaris telnet vulnberability - how many on your network?
In some mail from [EMAIL PROTECTED], sie said: 1) This seems like a case of old code somehow creeping back in to the current versions, and that's a phenomenon I've seen happen at a couple of different places that I've worked at over the years. It's kind of a special case of version control gone bad, and I'm interested in how that can happen and how to watch out for it. 1a) People have said that this bug was in old versions of SunOS/Solaris (and AIX I think) but nobody ever nailed down exactly when this was fixed, versionwise. In fact, did anybody reproduce this in anything other than Solaris 10? It'd be nice to know the last old version that has the bug, the 1st that doesn't. Solaris's /bin/login has never supported the -f command line option until Solaris 10 (RTFM) so this exploit was just plain not possible. The other avenue for passing command line args to telnet is through the TERM telnet option, but Solaris stopped passing that through on the command line a long time ago (maybe 2.3 or earlier?) 2) Does this have anything to do with the OpenSolaris effort? No. Like are people pulling in code from other sources? More people should go back and read Casper's email where he explained that it came about with a Kerberos project. Darren
Re: Solaris telnet vulnberability - how many on your network?
On Sat, 17 Feb 2007, Darren Reed wrote: In some mail from [EMAIL PROTECTED], sie said: 1) This seems like a case of old code somehow creeping back in to the current versions, and that's a phenomenon I've seen happen at a couple of different places that I've worked at over the years. It's kind of a special case of version control gone bad, and I'm interested in how that can happen and how to watch out for it. 1a) People have said that this bug was in old versions of SunOS/Solaris (and AIX I think) but nobody ever nailed down exactly when this was fixed, versionwise. In fact, did anybody reproduce this in anything other than Solaris 10? It'd be nice to know the last old version that has the bug, the 1st that doesn't. Solaris's /bin/login has never supported the -f command line option until Solaris 10 (RTFM) so this exploit was just plain not possible. That is not correct. On a Solaris 8 box the -f option is accepted without error. I don't have root so I can't verify that it does the right thing, but at least as a normal user login -f asdfasdf does nothing while login without arguments presents a prompt. So it exists and has some effect, notwithstanding the fact the fact that it is not listed in the man page. (RTFM isn't very helpful when it comes to undocumented features! :-) $ uname -a SunOS mybox 5.8 Generic_117350-44 sun4u sparc SUNW,Ultra-2 $ login login: ^C $ login -f asdfasdf $ man login NAME login - sign on to the system SYNOPSIS login [ -p ] [ -d device ] [ -h hostname | [ terminal ] | -r hostname ] [ name [ environ ] ... ] The other avenue for passing command line args to telnet is through the TERM telnet option, but Solaris stopped passing that through on the command line a long time ago (maybe 2.3 or earlier?) 2) Does this have anything to do with the OpenSolaris effort? No. In fact, you can look in the OpenSolaris repository and see that the initial import of usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c already contained this bug. Like are people pulling in code from other sources? More people should go back and read Casper's email where he explained that it came about with a Kerberos project. I presume that refers only to the telnetd bug, and not to login -f. -- Nate Eldredge [EMAIL PROTECTED]
Re: Re: Re: Solaris telnet vulnberability - how many on your network?
On 16 Feb 2007 [EMAIL PROTECTED] wrote: I believe in the early 90's there was a serious problem discovered in intel chips that allowed certain standard code to be run to overflow programs arbitrarily and gain access to operating systems in an administrative capacity. Also I remember the redhat (back in the day) repository being hacked and backdoored versions of programs being put into it. I believe this also happened to an early version of debian or fedora at some point also. But I think you miss the point. When they aren't preparing for security problems, the job of most security professionals is to observe and react to these kinds of security problems. The observer will exploit anything you are lax on. Discarding a security concern because it doesn't seem important or of value to you is kinda stupid, you should probably go find some other kind of work. Everything is important, everything should be examined when and if possible. Thus the thread certainly has merit. As mentionedin reflections on trusting trust, you need to check everything. Your code, the code of the OS loader, the OS, the compiler, the mothrboard... etc. Only, this is about trust, and at some point you need to say: resources and threat wise, my risk stops here. It is a risk and therefore I am taking chance. You can't secure everything, but you definitely need to be aware of what you do not secure. As an example I like using, unrelated directly to coding, when building secure networks with perimeters, people usually have two main choices on one issue: 1. Secure the perimeter, everything inside it is secure. 2. Secure the perimeter, then secure what's inside. There is no right or wrong, there is only what's right for you. The choice is not always easy. I'd normally strive for #2, but can't always choose it for obvious reasons. It really makes me giddy when I see posts by trolls saying that security through obscurity isn't really important, or that examining a possible act of malice WITHIN one of the companies that is giving you software is not really an important factor. Security by obscurity works (although a lot more often when employed when attacking, for the atatcking side protecting itself). Security by obscurity is an amazing tool, but when used alone it is useless, as when it is blown to bits, nothing remains to protect you. It must be a part of your arsenal, not the sole defender. Even if it isn't an act of malice BY THEM, perhaps they have been hacked at the very top levels of their software storage or their source code itself. Perhaps something has gone wrong (what? no, couldn't be?). Dismissing it is as stupid as dismissing the possibility that running some unnamed, unknown executable on your windows box isn't a problem. Scarey stuff. The job is to be paranoid. Not to be dismissive of those who ARE. TheFinn.
Re: Solaris telnet vulnberability - how many on your network?
I have to wonder if the old bug complaints are coming in reference to one of the following: http://www.securityfocus.com/bid/3064/info http://www.securityfocus.com/bid/5531/info My dejavu was of http://www.cert.org/advisories/CA-1994-09.html It wasn't hard to find in old email, google is good too. brandon
Re: RE: Re: Solaris telnet vulnberability - how many on your network?
http://www.acm.org/classics/sep95/ Thanks to Cromar Scott for the link. Great anecdotes there. I especially liked his comments about companies You cannot trust code that you didn't totally create yourself. (Especially code from companies that employ people like me). Exactly the thought that gives me that particular part of the reason - basis for postulation. It's called history. Intent of malice by a company employee for any of the major software and hardware distributors is a possibility at all times just as any other security issue is. I won't ignore it or not talk about it because of a possibility of liable, stupidity, ignorance or trolls. Neither should anyone else. What is the big deal with this particular sticking point? The justification for the question is glaring. Any fundamental security doctrine requires us to take into account the possibility. TF.
Re: RE: Re: Re: Solaris telnet vulnberability - how many on your network?
I wonder if that's the attitude the NSA and CIA had before the world trade centre came down ? The idea isn't world domination via telnet, but infamy via one malicious act. You cannot ever really trust code that you don't write yourself. You can run around with fantasies of world domination via telnet if you wish. Take the thread wherever you like. I don't ever remember mentioning it or even hinting at it. The fundamental issue in computer security is that you are looking for the exception, not the standard. You keep replying that the standard is so high the exception will never take place. This is fundamentally flawed as an argument not to keep looking at this potential problem over the years. You're a fool. I won't waste any more time on you. TF.
Re: Re: Re: Solaris telnet vulnberability - how many on your network?
I believe in the early 90's there was a serious problem discovered in intel chips that allowed certain standard code to be run to overflow programs arbitrarily and gain access to operating systems in an administrative capacity. Also I remember the redhat (back in the day) repository being hacked and backdoored versions of programs being put into it. I believe this also happened to an early version of debian or fedora at some point also. And how does this relate to Sun purposely putting a backdoor into their telnet service, as that was the suggestion, not a rogue attacker invading a CVS/FTP server and patching the source. But I think you miss the point. No, I think you're changing it to suit your purposes. Scarey stuff. The job is to be paranoid. Not to be dismissive of those who ARE. I'm being dismissive of those of you who would prefer to believe that this is something that was put into the source on purpose by Sun as opposed to a developers mistake, Occam's razor and all that. There is a difference of paranoia and utter absurdity, and the (serious) suggestion that this was a bug placed on purpose by Sun crosses thats line. It was a silly bug accidently placed by (most likely) an engineer at Sun who will never live it up, not some stupid attempt at world domination via telnet.
Re: Solaris telnet vulnberability - how many on your network?
Let's taper off this thread. It's getting downright boring. Thanks, Anthony Nemmer We are kind of going around and around, but there's a couple of aspects to this that haven't even been talked about: 1) This seems like a case of old code somehow creeping back in to the current versions, and that's a phenomenon I've seen happen at a couple of different places that I've worked at over the years. It's kind of a special case of version control gone bad, and I'm interested in how that can happen and how to watch out for it. 1a) People have said that this bug was in old versions of SunOS/Solaris (and AIX I think) but nobody ever nailed down exactly when this was fixed, versionwise. In fact, did anybody reproduce this in anything other than Solaris 10? It'd be nice to know the last old version that has the bug, the 1st that doesn't. 2) Does this have anything to do with the OpenSolaris effort? Like are people pulling in code from other sources? Yours, (George) Kurt Reimer Fox Chase Cancer Center
Re: Solaris telnet vulnberability - how many on your network?
Let's taper off this thread. It's getting downright boring. Thanks, Anthony Nemmer jf wrote: I believe in the early 90's there was a serious problem discovered in intel chips that allowed certain standard code to be run to overflow programs arbitrarily and gain access to operating systems in an administrative capacity. Also I remember the redhat (back in the day) repository being hacked and backdoored versions of programs being put into it. I believe this also happened to an early version of debian or fedora at some point also. And how does this relate to Sun purposely putting a backdoor into their telnet service, as that was the suggestion, not a rogue attacker invading a CVS/FTP server and patching the source. But I think you miss the point. No, I think you're changing it to suit your purposes. Scarey stuff. The job is to be paranoid. Not to be dismissive of those who ARE. I'm being dismissive of those of you who would prefer to believe that this is something that was put into the source on purpose by Sun as opposed to a developers mistake, Occam's razor and all that. There is a difference of paranoia and utter absurdity, and the (serious) suggestion that this was a bug placed on purpose by Sun crosses thats line. It was a silly bug accidently placed by (most likely) an engineer at Sun who will never live it up, not some stupid attempt at world domination via telnet. -- I always have coffee when I watch radar!
RE: Re: Re: Solaris telnet vulnberability - how many on your network?
sure, of course when you contort reality to where college pranks are the same as vast corporate conspiracies then im sure you will find plenty of example, I however meant *real* ones, not what a college student did to another for fun. -- Success is not final, failure is not fatal: it is the courage to continue that counts. -- Sir Winston Churchill On Fri, 16 Feb 2007, Cromar Scott wrote: Date: Fri, 16 Feb 2007 00:34:30 -0500 From: Cromar Scott [EMAIL PROTECTED] To: jf [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: bugtraq@securityfocus.com Subject: RE: ***PossibleSPAM*** Re: Re: Solaris telnet vulnberability - how many on your network? Ken Thompson pulled a famous prank back in the old days. He refers to it in the following: http://www.acm.org/classics/sep95/ I've heard a few different versions of this story, some of which would fit your requirements. --Scott -Original Message- From: jf [mailto:[EMAIL PROTECTED] Sent: Friday, February 16, 2007 12:28 AM To: [EMAIL PROTECTED] Cc: bugtraq@securityfocus.com Subject: ***PossibleSPAM*** Re: Re: Solaris telnet vulnberability - how many on your network? There have also been too many times in the past when they have been proven correct to ignore the possibility any longer. Hi, in what instances has the conjecture that a bug was a deliberate backdoor been proven correct? This message may contain information that is confidential or privileged. If you are not the intended recipient, please advise the sender immediately and delete this message.
Re: Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007, Gadi Evron wrote: We all agree it is not a very likely possibility, but I wouldn't rule it out completely just yet until more information from Sun becomes available. What more information do you need? You have an advisory, access to the source code, access to the change that resolved the problem and patient conversations with a very patient Casper Dik. The onus is on you to demonstrate how this could be a backdoor. Otherwise you are asking Sun to prove a negative. IMO fixing security bugs at short notice is painful enough without people like yourself and Steve Gibson casting assertions of malice. -d
Re: Solaris telnet vulnberability - how many on your network?
wow reminds me of back in the day ... haven't seen one of these in years. Thefinn
Re: Re: Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007, Gadi Evron wrote: We all agree it is not a very likely possibility, but I wouldn't rule it out completely just yet until more information from Sun becomes available. What more information do you need? You have an advisory, access to the source code, access to the change that resolved the problem and patient conversations with a very patient Casper Dik. The onus is on you to demonstrate how this could be a backdoor. Otherwise you are asking Sun to prove a negative. IMO fixing security bugs at short notice is painful enough without people like yourself and Steve Gibson casting assertions of malice. The price of freedom is eternal vigilance. Assertions of malice are a good thing. Keeps people on their toes and thinking about it. There have also been too many times in the past when they have been proven correct to ignore the possibility any longer. TheFinn.
Re: Solaris telnet vulnberability - how many on your network?
In some mail from Joe Shamblin, sie said: How about just uncommenting the following from /etc/default/login # If CONSOLE is set, root can only login on that device. # Comment this line out to allow remote login by root. # CONSOLE=/dev/console Not a fix to be sure, but at least prevents a remote login. This only controls access to the account known as root. I'll wager that there are other accounts you could use this to get access to (that you shouldn't be able to) which could lead to various sorts of security issues. Darren
RE: Re: Solaris telnet vulnberability - how many on your network?
A public, false assertation of malice is called libel. The great and needed social role that the glaring light of the public gets to weld to hold others accountable require that public allegations have at least some reasonable basis, backed by evidence, for their postulation. The American -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, February 15, 2007 10:07 AM To: bugtraq@securityfocus.com Subject: Re: Re: Solaris telnet vulnberability - how many on your network? On Tue, 13 Feb 2007, Gadi Evron wrote: IMO fixing security bugs at short notice is painful enough without people like yourself and Steve Gibson casting assertions of malice. The price of freedom is eternal vigilance. Assertions of malice are a good thing. Keeps people on their toes and thinking about it. There have also been too many times in the past when they have been proven correct to ignore the possibility any longer. TheFinn.
Re: Re: Solaris telnet vulnberability - how many on your network?
There have also been too many times in the past when they have been proven correct to ignore the possibility any longer. Hi, in what instances has the conjecture that a bug was a deliberate backdoor been proven correct?
Re: Solaris telnet vulnberability - how many on your network?
The simplest possible fix on such short notice: http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c ?r2=3629r1=2923 Casper How about just uncommenting the following from /etc/default/login # If CONSOLE is set, root can only login on that device. # Comment this line out to allow remote login by root. # CONSOLE=/dev/console Not a fix to be sure, but at least prevents a remote login. That is the default; and preventing root logins does not prevent other logins. svcadm disable telnet is the best fix (and there's really no reason to enable it) Casper
Re: Solaris telnet vulnberability - how many on your network?
[EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? Now, follow the links from http://sunsolve.sun.com/tpatches Casper Many thanks Casper! Can you give some more information on exactly what is patched. Any Sun released advisory? The simplest possible fix on such short notice: http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c?r2=3629r1=2923 Casper How about just uncommenting the following from /etc/default/login # If CONSOLE is set, root can only login on that device. # Comment this line out to allow remote login by root. # CONSOLE=/dev/console Not a fix to be sure, but at least prevents a remote login. Joe -- Joe Shamblin[EMAIL PROTECTED] Senior Systems Administrator Department of Computer Science (919) 660-6582 Duke University
Re: Solaris telnet vulnberability - how many on your network?
On Monday 12 February 2007 07:00, Gadi Evron wrote: Update from HD Moore: but this bug isnt -froot, its -fanythingbutroot =P Confirmed. If the server permits logins from outside (maybe via SSH only - protection provided by a local or network) and has telnetd enabled any user can login as other user with no password. I mean: $ ssh [EMAIL PROTECTED] password: [EMAIL PROTECTED]telnet -l -fuser2 localhost no pass required [EMAIL PROTECTED] On my Solaris 10 server I wasn't able to obtain root privileges this way, trying: $telnet -l -froot localhost (or IP from the local net) I got: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Not on system console Connection to localhost closed by foreign host. It seems that root cannot login on not-system consoles. This server hosts SunRay Server Software 3.1, maybe the different configuration is coming from there. See you LG -- ** Leandro Gelasi email : [EMAIL PROTECTED] Gilles Villeneuve will live forever **
RE: Solaris telnet vulnberability - how many on your network?
Gadi, It looks like I was confused, this actually affected AIX and Linux in 1994: http://www.securityfocus.com/bid/458/info http://www.cert.org/advisories/CA-1994-09.html Oliver -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:46 AM To: Oliver Friedrichs Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: RE: Solaris telnet vulnberability - how many on your network? On Mon, 12 Feb 2007, Oliver Friedrichs wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do with how arguments are processed via getopt() if I recall correctly. Hey Oliver! :) Well than, I guess it just became new again. And to be honest, I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. The reason why this vulnerability is so critical is the number of networks and organizations which rely on Solaris for critical production servers, as well as use telnet for internal communication on their LAN (now how smart is that? I'd rather use telnet on the Internet than on a local LAN). Further, there are quite a few third party appliances (some infrastructure back-end) that can not easily be patched running on Solaris (forget fuzzing or VA, people never even NMAP appliances they buy). I am unsure of how long we will see this in to-do items of corporate security teams around the world, but I am sure Sun's /8 is getting a lot of action recently. Oliver Gadi. -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Sunday, February 11, 2007 10:01 PM To: bugtraq@securityfocus.com Cc: full-disclosure@lists.grok.org.uk Subject: Solaris telnet vulnberability - how many on your network? Johannes Ullrich from the SANS ISC sent this to me and then I saw it on the DSHIELD list: If you run Solaris, please check if you got telnet enabled NOW. If you can, block port 23 at your perimeter. There is a fairly trivial Solaris telnet 0-day. telnet -l -froot [hostname] will give you root on many Solaris systems with default installs We are still testing. Please use our contact form at https://isc.sans.org/contact.html if you have any details about the use of this exploit. You mean they still use telnet?! Update from HD Moore: but this bug isnt -froot, its -fanythingbutroot =P On the exploits@ mailing list and on DSHIELD this vulnerability was verified as real. If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a strong suggestion. Anyone else running Solaris? Gadi.
RE: Solaris telnet vulnberability - how many on your network?
On Mon, 12 Feb 2007, Oliver Friedrichs wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do with how arguments are processed via getopt() if I recall correctly. Hey Oliver! :) Well than, I guess it just became new again. And to be honest, I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. The reason why this vulnerability is so critical is the number of networks and organizations which rely on Solaris for critical production servers, as well as use telnet for internal communication on their LAN (now how smart is that? I'd rather use telnet on the Internet than on a local LAN). Further, there are quite a few third party appliances (some infrastructure back-end) that can not easily be patched running on Solaris (forget fuzzing or VA, people never even NMAP appliances they buy). I am unsure of how long we will see this in to-do items of corporate security teams around the world, but I am sure Sun's /8 is getting a lot of action recently. Oliver Gadi. -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Sunday, February 11, 2007 10:01 PM To: bugtraq@securityfocus.com Cc: full-disclosure@lists.grok.org.uk Subject: Solaris telnet vulnberability - how many on your network? Johannes Ullrich from the SANS ISC sent this to me and then I saw it on the DSHIELD list: If you run Solaris, please check if you got telnet enabled NOW. If you can, block port 23 at your perimeter. There is a fairly trivial Solaris telnet 0-day. telnet -l -froot [hostname] will give you root on many Solaris systems with default installs We are still testing. Please use our contact form at https://isc.sans.org/contact.html if you have any details about the use of this exploit. You mean they still use telnet?! Update from HD Moore: but this bug isnt -froot, its -fanythingbutroot =P On the exploits@ mailing list and on DSHIELD this vulnerability was verified as real. If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a strong suggestion. Anyone else running Solaris? Gadi.
RE: Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007, Oliver Friedrichs wrote: Gadi, It looks like I was confused, this actually affected AIX and Linux in 1994: http://www.securityfocus.com/bid/458/info http://www.cert.org/advisories/CA-1994-09.html Same same but with rlogin, as someone mentioned on DSHIELD. Gadi. Oliver -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:46 AM To: Oliver Friedrichs Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: RE: Solaris telnet vulnberability - how many on your network? On Mon, 12 Feb 2007, Oliver Friedrichs wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do with how arguments are processed via getopt() if I recall correctly. Hey Oliver! :) Well than, I guess it just became new again. And to be honest, I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. The reason why this vulnerability is so critical is the number of networks and organizations which rely on Solaris for critical production servers, as well as use telnet for internal communication on their LAN (now how smart is that? I'd rather use telnet on the Internet than on a local LAN). Further, there are quite a few third party appliances (some infrastructure back-end) that can not easily be patched running on Solaris (forget fuzzing or VA, people never even NMAP appliances they buy). I am unsure of how long we will see this in to-do items of corporate security teams around the world, but I am sure Sun's /8 is getting a lot of action recently. Oliver Gadi. -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Sunday, February 11, 2007 10:01 PM To: bugtraq@securityfocus.com Cc: full-disclosure@lists.grok.org.uk Subject: Solaris telnet vulnberability - how many on your network? Johannes Ullrich from the SANS ISC sent this to me and then I saw it on the DSHIELD list: If you run Solaris, please check if you got telnet enabled NOW. If you can, block port 23 at your perimeter. There is a fairly trivial Solaris telnet 0-day. telnet -l -froot [hostname] will give you root on many Solaris systems with default installs We are still testing. Please use our contact form at https://isc.sans.org/contact.html if you have any details about the use of this exploit. You mean they still use telnet?! Update from HD Moore: but this bug isnt -froot, its -fanythingbutroot =P On the exploits@ mailing list and on DSHIELD this vulnerability was verified as real. If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a strong suggestion. Anyone else running Solaris? Gadi.
Re: Solaris telnet vulnberability - how many on your network?
Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Casper
RE: Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007, Gadi Evron wrote: I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. You're attributing malice to what could be equally well (or better!) explained by incompetence or gross negligence. The latter two haunt large companies far more often, compared to sinister conspiracies. Yeah, a backdoor is a remote possibility. But it's also an arbitrary and needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed shadow government, but chances are, it's not (they have better things to do today). Keep that in mind: when risking so much, of all the places to put a covert backdoor to use for years to come, pulling out a known flaw that will be spotted by many existing vulnerability scanners, and putting it in a service that is often disabled as obsolete and generally unreachable from the outside world, doesn't really make that much sense. Unless, of course, it's a sabotage attempt orchestrated by a joint team of IBM and SCO developers... now, that begins to make sense.. /mz
Re: Solaris telnet vulnberability - how many on your network?
Hi, Solaris is now Open Source, so you can see yourself at http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-in et/usr.sbin/in.telnetd.c?r2=3629r1=2923 what the problem and its resolution are. There are also the blogs by Alan Hargreaves from SUN Australia at http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit and by Dan McDonald from SUN at http://blogs.sun.com/danmcd/entry/how_opensolaris_did_its_job describing how this vulnerability was first reported, fixed and alerts and patches provided. This is a big mistake but I see no reason to think of backdoors and age-old problems on other OSes any longer. On the contrary I can see the huge progress SUN has made and is making in regards to security and openness. Cheers Georg Oppenberg On Mon, 12 Feb 2007, Oliver Friedrichs wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do with how arguments are processed via getopt() if I recall correctly. Hey Oliver! :) Well than, I guess it just became new again. And to be honest, I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. The reason why this vulnerability is so critical is the number of networks and organizations which rely on Solaris for critical production servers, as well as use telnet for internal communication on their LAN (now how smart is that? I'd rather use telnet on the Internet than on a local LAN). Further, there are quite a few third party appliances (some infrastructure back-end) that can not easily be patched running on Solaris (forget fuzzing or VA, people never even NMAP appliances they buy). I am unsure of how long we will see this in to-do items of corporate security teams around the world, but I am sure Sun's /8 is getting a lot of action recently. Oliver Gadi.
Re: Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? Many thanks, Gadi.
Re: Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007, Gadi Evron wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? Now, follow the links from http://sunsolve.sun.com/tpatches Casper Many thanks Casper! Can you give some more information on exactly what is patched. Any Sun released advisory? Specifically, more than: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security Because of the wide implications of this particular issue? Also, any idea on how this vulnerability was introduced? Thanks again, Gadi.
Re: Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? Now, follow the links from http://sunsolve.sun.com/tpatches Casper Many thanks Casper! Can you give some more information on exactly what is patched. Any Sun released advisory? The simplest possible fix on such short notice: http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c?r2=3629r1=2923 Casper
Re: Solaris telnet vulnberability - how many on your network?
Yeah, a backdoor is a remote possibility. But it's also an arbitrary and needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed shadow government, but chances are, it's not (they have better things to do today). And one which was too easy to discover; real back doors are better masquared as buffer overflows you might not chance upon. Casper
