Party like it’s 1994

A 0-day in Solaris {10,11} telnetd is reported.
SANS has some details.
Anyone who remembers the AIX “rlogin -froot” vuln will appreciate this one.
(h/t to KK on this one)

9 thoughts on “Party like it’s 1994

  1. Wait. You’re mentioning a 0 day in telnet?
    I mean, WTF? You’re telling me there’s 0day in an app that sends its auth in the clear, and then is subject to session hijacking?
    Sun should be embarrased to be shipping telnetd in 2007. Is it on by default?

  2. I don’t run Solaris 10, but I understand from folks that have tested this that yes, in.telnetd will be spawned by inetd on a default install, but that root can only login from the console.
    So, out of the box, this would be get you any non-root user over the network (assuming they have a useful shell — I do not know if Solaris 10 is smart about that out of the box)

Comments are closed.