Solaris telnetd authentication bypass

Added: 02/16/2007
CVE: CVE-2007-0882
BID: 22512
OSVDB: 31881

Background

The Telnet service allows remote users to authenticate to a system and use an interactive command shell. The Telnet service is implemented by the Telnet daemon, telnetd.

Problem

The telnetd program in Solaris 10 and 11 misinterprets USER environment variables beginning with "-f", resulting in an authentication bypass vulnerability. A remote attacker could execute arbitrary commands using a standard telnet client program.

Resolution

Apply one of the patches referenced in Sun Alert 102802.

References

http://secunia.com/advisories/24120
http://www.kb.cert.org/vuls/id/881872

Limitations

Exploit works on Solaris 10 and 11. Root access can only be gained if the target system allows non-console superuser access.

Platforms

SunOS

Back to exploit index