Root access through bug in Solaris Telnet
A bug in Solaris telnetd can be exploited by an attacker to obtain access with root privileges. kcope has published a script illustrating how simple it is for an attacker to exploit the vulnerability. Solaris 5.10 and 5.11 are affected.
If the user enters an account name as the User environment variable (switch -f in the telnet command), telnetd passes the data to thelogin routine and relies on login to check the access data. However, if an attacker supplies an account name with root privileges, no further authentication is carried out and the user obtains access to the computer.
Solaris administrators should block Telnet access completely or restrict it to trusted computers. Telnet has been considered insecure for more than a decade, the plain text communication between client and server makes it simple for an attacker to listen in and thus gain access to confidential access data, or even hijack complete telnet sessions.
- SunOS 5.10/5.11 in.telnetd Remote Exploit, security advisory from kcope with demo exploit (PDF file)