Solaris telnetd authentication bypass
Added: 02/16/2007CVE: CVE-2007-0882
BID: 22512
OSVDB: 31881
Background
The Telnet service allows remote users to authenticate to a system and use an interactive command shell. The Telnet service is implemented by the Telnet daemon, telnetd.Problem
The telnetd program in Solaris 10 and 11 misinterprets USER environment variables beginning with "-f", resulting in an authentication bypass vulnerability. A remote attacker could execute arbitrary commands using a standard telnet client program.Resolution
Apply one of the patches referenced in Sun Alert 102802.References
http://secunia.com/advisories/24120http://www.kb.cert.org/vuls/id/881872
Limitations
Exploit works on Solaris 10 and 11. Root access can only be gained if the target system allows non-console superuser access.Platforms
SunOSBack to exploit index