Everything, Everything

2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Solaris
Monday 12th February, 2007 10:39 Comments: 1
It's so much more secure than Windows, right?

That is unless you're silly enough to allow telnet access. And I don't mean that just because it's unencrypted, I mean that because of the big and extremely trivial vulnerability in Solaris 10 and 11:

If you pass a "-fusername" as an argument to the –l option you get full access to the OS as the user specified. The example uses bin but it work for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating.

An example of the command line is:

telnet -l "-fbin" target_address


If you're running telnet, please disable it. Or at least check that your firewalls are blocking external access.
Avatar Robert - Tuesday 13th February, 2007 10:57
I was reading a follow-up blog entry, and it seems that someone else agreed with my interpretation of kcope's short PDF paper on why the vulnerability in telnetd happens:

/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c
3198
3199 } else /* default, no auth. info available, login does it all */ {
3200 (void) execl(LOGIN_PROGRAM, "login",
3201 "-p", "-h", host, "-d", slavename,
3202 getenv("USER"), 0);
3203 }

/usr/src/cmd/login/login.c
1397 break;
1398
1399 case 'f':
1400 /*
1401 * Must be root to bypass authentication
1402 * otherwise we exit() as punishment for trying.
1403 */
1404 if (getuid() != 0 || geteuid() != 0) {
1405 audit_error = ADT_FAIL_VALUE_AUTH_BYPASS;
1406
1407 login_exit(1); /* sigh */
1408 /*NOTREACHED*/
1409 }
1410 /* save fflag user name for future use */
1411 SCPYL(user_name, optarg);
1412 fflag = B_TRUE;

What happens is telnetd (running as root) passes the authentication across to login, login will normally exit if authentication hasn't been supplied, but because the telnetd service is running as root it allows the bypass to occur. And therefore logs you in as whichever username was supplied to telnetd (and passed across to login).

There have also been conflicting reports about this vulnerability working with the root account. This does not work on a default install of Solaris 10. By default a variable is set in /etc/default/login called CONSOLE. If this variable is set then root is not allowed to login from anywhere but the console. Commenting this variable out allows root to login from anywhere and allows this vulnerability to take advantage of the telnet exploit.
© Robert Nicholls 2002-2017
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3