STANFORD UNIVERSITY

SECURE COMPUTING

Security Alerts

February 12, 2007

Sun Solaris Telnet Vulnerability

Summary

A vulnerability in the Sun Solaris version 10 or 11 telnet daemon (in.telnetd) could allow a remote attacker to log on to the system with elevated privileges. The telnet daemon does not properly sanitize the USER Environment variable before passing it to the login process. By supplying a specially crafted USER Environment variable over telnet, a remote attacker may be able to bypass authentication to gain access to the system with elevated privileges. This was reported on February 12, 2007 and public exploit code is available.

Note: An attacker must have knowledge of a user account other than root to exploit this vulnerability successfully. Additionally, in default Solaris configurations, this vulnerability cannot be used to gain root level access.

Note that Sun Solaris 8 and 9 are not affected by this issue.

What to Do

Until Sun provides a security update, or more information becomes available, Stanford recommends the following actions to help mitigate the security risks:

  • Disable Telnet daemon.
  • Restrict access to port 23/tcp to trusted hosts only.

SSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet.

Technical Details

The telnet daemon passes switches directly to the login process which looks for a switch that allows root to login to any account without a password. If your telnet daemon is running as root in Solaris 10 or 11, it allows unauthenticated remote logins.

Limit your exposure if you must run telnet on your solaris system. It is recommend that you use firewall(s) to limit what IP can connect to your telnet services. Other ways to mitigate this issue until a patch is available:

Change
/etc/default/login add CONSOLE=/dev/console
to limit where root can login from. This only prevents direct access to the root account other accounts can still be compromised.

Another mitigation that works in most cases is this:
inetadm -m svc:/network/telnet:default exec="/usr/sbin/in.telnetd -a user"
Note: Reports have surfaced of people locking themselves out with this so use at your own risk.

References

The above information was derived from: (US-CERT Note VU#881872)
http://www.kb.cert.org/vuls/id/881872


Last modified Wednesday, 21-Feb-2007 02:01:55 PM

Stanford University Home Page