[rescue] Solaris 10 Remote-Root Exploit

Francois Dion francois.dion at gmail.com
Wed Feb 14 11:37:46 CST 2007

On 2/14/07, der Mouse <mouse at rodents.montreal.qc.ca> wrote:
> >> And I've just checked and my telnetd is not vulnerable.  Most of the
> >> scanning activity is attempted exploits against my sshd anyway.
> > All telnetd are vulnerable to clear-text password interception.
> Not true; telnet can be Kerberized, and I think it can be TLSed as
> well.  And even those aside, nothing says that a clear-text password is
> the authentication/authorization method in use; nobody can intercept
> something that isn't sent.  (What else could it be?  SecurID is the
> first example that comes to mind.  And in some uses, there may be no
> auth{entic,oriz}ation info involved at all, as when using telnet to
> export something to the world.)

Sun telnet is kerberized. And contrarily to what I thought, it was
this kerberizing that introduced the issue in in.telnetd.c, according
to Alan Hargreaves, and never backported to Solaris 9. I thought that
zlogin with an old feature re-enabling (-f) was what made it possible,
but I'll take the word of a Sun kernel engineer to know Solaris code
better than my casual 1 minute review of the code, particularly when
said engineer produced the T-patch to fix the problem! :)


More information about the rescue mailing list