Solaris telnetd authentication bypass

2007-02-16T00:00:00
ID SAINT:F83AF66562E2301032ED9A730B8E80E0
Type saint
Reporter SAINT Corporation
Modified 2007-02-16T00:00:00

Description

Added: 02/16/2007
CVE: CVE-2007-0882
BID: 22512
OSVDB: 31881

Background

The Telnet service allows remote users to authenticate to a system and use an interactive command shell. The Telnet service is implemented by the Telnet daemon, **telnetd**.

Problem

The **telnetd** program in Solaris 10 and 11 misinterprets **USER** environment variables beginning with "-f", resulting in an authentication bypass vulnerability. A remote attacker could execute arbitrary commands using a standard telnet client program.

Resolution

Apply one of the patches referenced in Sun Alert 102802.

References

<http://secunia.com/advisories/24120>
<http://www.kb.cert.org/vuls/id/881872>

Limitations

Exploit works on Solaris 10 and 11. Root access can only be gained if the target system allows non-console superuser access.

Platforms

SunOS