| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Feb 2007 11:08:39 -0600 (CST) From: Gadi Evron <ge@...uxbox.org> To: Oliver Friedrichs <oliver_friedrichs@...antec.com> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Solaris telnet vulnberability - how many on your network? On Tue, 13 Feb 2007, Oliver Friedrichs wrote: > > Gadi, > > It looks like I was confused, this actually affected AIX and Linux in > 1994: > > http://www.securityfocus.com/bid/458/info > http://www.cert.org/advisories/CA-1994-09.html Same same but with rlogin, as someone mentioned on DSHIELD. Gadi. > > Oliver > > -----Original Message----- > From: Gadi Evron [mailto:ge@...uxbox.org] > Sent: Tuesday, February 13, 2007 1:46 AM > To: Oliver Friedrichs > Cc: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk > Subject: RE: Solaris telnet vulnberability - how many on your network? > > On Mon, 12 Feb 2007, Oliver Friedrichs wrote: > > > > Am I missing something? This vulnerability is close to 10 years old. > > It was in one of the first versions of Solaris after Sun moved off of > > the SunOS BSD platform and over to SysV. It has specifically to do > > with how arguments are processed via getopt() if I recall correctly. > > Hey Oliver! :) > > Well than, I guess it just became new again. And to be honest, I have to > agree with a previous poster and suspect (only suspect) it could somehow > be a backdoor rather than a bug. > > The reason why this vulnerability is so critical is the number of > networks and organizations which rely on Solaris for critical production > servers, as well as use telnet for internal communication on their LAN > (now how smart is that? I'd rather use telnet on the Internet than on a > local LAN). > > Further, there are quite a few third party appliances (some > infrastructure back-end) that can not easily be patched running on > Solaris (forget fuzzing or VA, people never even NMAP appliances they > buy). > > I am unsure of how long we will see this in to-do items of corporate > security teams around the world, but I am sure Sun's /8 is getting a lot > of action recently. > > > > > Oliver > > Gadi. > > > > > -----Original Message----- > > From: Gadi Evron [mailto:ge@...uxbox.org] > > Sent: Sunday, February 11, 2007 10:01 PM > > To: bugtraq@...urityfocus.com > > Cc: full-disclosure@...ts.grok.org.uk > > Subject: Solaris telnet vulnberability - how many on your network? > > > > Johannes Ullrich from the SANS ISC sent this to me and then I saw it > > on the DSHIELD list: > > > > ---- > > If you run Solaris, please check if you got telnet enabled NOW. If > > > you > > can, block port 23 at your perimeter. There is a fairly trivial > > Solaris telnet 0-day. > > > > telnet -l "-froot" [hostname] > > > > will give you root on many Solaris systems with default installs > > We are still testing. Please use our contact form at > > https://isc.sans.org/contact.html > > if you have any details about the use of this exploit. > > ---- > > > > You mean they still use telnet?! > > > > Update from HD Moore: > > "but this bug isnt -froot, its -fanythingbutroot =P" > > > > On the exploits@ mailing list and on DSHIELD this vulnerability was > > verified as real. > > > > If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it > > > a strong suggestion. > > > > Anyone else running Solaris? > > > > Gadi. > > > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists