Date: Mon, 12 Feb 2007 00:00:30 -0600 (CST)
From: Gadi Evron <ge@linuxbox.org.>
To: [email protected]Subject: Solaris telnet vulnberability - how many on your network?
Message-ID: <Pine.LNX.4.21.0702112359400.26645-100000@linuxbox.org.>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.7.5 (linuxbox.org [127.0.0.1]); Mon, 12 Feb 2007 00:00:33 -0600 (CST)
X-Virus-Scanned: antivirus-gw at tyumen.ru
Johannes Ullrich from the SANS ISC sent this to me and then I saw it on
the DSHIELD list:
----
If you run Solaris, please check if you got telnet enabled NOW. If you
can, block port 23 at your perimeter. There is a fairly trivial
Solaris telnet 0-day.
telnet -l "-froot" [hostname]
will give you root on many Solaris systems with default installs
We are still testing. Please use our contact form at
https://isc.sans.org/contact.html
if you have any details about the use of this exploit.
----
You mean they still use telnet?!
Update from HD Moore:
"but this bug isnt -froot, its -fanythingbutroot =P"
On the exploits@ mailing list and on DSHIELD this vulnerability was
verified as real.
If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a
strong suggestion.
Anyone else running Solaris?
Gadi.
