Detections
Analytics

Solaris 10 Forced Login Telnet Authentication Bypass

critical Nessus Plugin ID 24323

Language:

Synopsis

It is possible to log into the remote system using telnet without supplying any credentials

Description

The remote version of telnet does not sanitize the user-supplied 'USER' environment variable. By supplying a specially malformed USER environment variable, an attacker may force the remote telnet server to believe that the user has already authenticated.

For instance, the following command :

 telnet -l '-fbin' target.example.com

will result in obtaining a shell with the privileges of the 'bin' user.

Solution

Install patches 120068-02 (sparc) or 120069-02 (i386), which are available from Sun.

Filter incoming to this port or disable the telnet service and use SSH instead, or use inetadm to mitigate this problem (see the link below).

See Also

http://lists.sans.org/pipermail/list/2007-February/025935.html

http://isc.sans.org/diary.html?storyid=2220

Plugin Details

Severity: Critical

ID: 24323

File Name: solaris10_telnet_env.nasl

Version: 1.34

Type: remote

Published: 2/12/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:sun:solaris

Excluded KB Items: openwrt/blank_telnet_password

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 2/13/2007

Vulnerability Publication Date: 2/10/2007

Exploitable With

CANVAS (CANVAS)

Metasploit (Sun Solaris Telnet Remote Authentication Bypass Vulnerability)

Reference Information

CVE: CVE-2007-0882

BID: 22512

CWE: 94