Solaris telnet 0-day

Update: Solaris has issued a kb document with information, and an Interm Security Relief Patch (ISR) to address this issue. 

On the full-disclosure list someone has posted another 0-day, this time for Solaris 10 and the upcoming 11.  Initial evidence suggests that this does not affect prior versions.  The vulnerability allows an attacker to log in as any user without authentication from remote.  Contrary to what I've read on other sites, I have been able to confirm that this includes the ability to log in as root (on Solaris 10u1 anyway).  What's even more scary is that no exploit code is required to execute, only a telnet client.

Here's an example of how easy it is to exploit this:

chris@pentest:~$ telnet **********
Connected to
Escape character is '^]'.
Last login: Sun Feb 11 21:31:24 from
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
You have new mail.
# uname -a;id
SunOS unknown 5.10 Generic_118844-26 i86pc i386 i86pc
uid=0(root) gid=0(root)

The above example was against a default install Solaris 10 update 1 system.  Although this would have been a big deal five years ago, today hopefully everyone has telnet disabled, especially from the Internet.  I've written a Snort rule to detect this activity:

alert tcp any any -> any 23 (msg:"BLEEDING-EDGE EXPLOIT  \
Solaris telnet USER environment vuln"; flow:to_server,established; \
content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; \
classtype: attempted-user; sid:100002; rev:2;)

The content check is looking for:
ff fa (IAC SB) 27 (NEW-ENVIRON) 00 00 (IS VAR) 55 53 45 52 ("USER") 00 (VALUE) 2d 66

The RFCs for telnet are and

Later versions of Solaris prompt during install if telnet should be
enabled. Also, in later versions this doesn't work for root - an
attacker would have to use -fbin or another account and than use a
local exploit to gain root.

The first blog sighting of this vulnerability can be found here: Errata Security. More information is at Computer Defense.
Some of the links about this vulnerability on these sites point to
pages that contain content that is not safe for a work environment.

If you are still using  telnet, now's the time to disable it.