In association with heise online

12 February 2007, 12:18

Root access through bug in Solaris Telnet

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A bug in Solaris telnetd can be exploited by an attacker to obtain access with root privileges. kcope has published a script illustrating how simple it is for an attacker to exploit the vulnerability. Solaris 5.10 and 5.11 are affected.

If the user enters an account name as the User environment variable (switch -f in the telnet command), telnetd passes the data to thelogin routine and relies on login to check the access data. However, if an attacker supplies an account name with root privileges, no further authentication is carried out and the user obtains access to the computer.

Solaris administrators should block Telnet access completely or restrict it to trusted computers. Telnet has been considered insecure for more than a decade, the plain text communication between client and server makes it simple for an attacker to listen in and thus gain access to confidential access data, or even hijack complete telnet sessions.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit