Solaris 10 Forced Login Telnet Authentication Bypass

critical Nessus Plugin ID 24323


It is possible to log into the remote system using telnet without supplying any credentials


The remote version of telnet does not sanitize the user-supplied 'USER' environment variable. By supplying a specially malformed USER environment variable, an attacker may force the remote telnet server to believe that the user has already authenticated.

For instance, the following command :

telnet -l '-fbin'

will result in obtaining a shell with the privileges of the 'bin' user.


Install patches 120068-02 (sparc) or 120069-02 (i386), which are available from Sun.

Filter incoming to this port or disable the telnet service and use SSH instead, or use inetadm to mitigate this problem (see the link below).

See Also

Plugin Details

Severity: Critical

ID: 24323

File Name: solaris10_telnet_env.nasl

Version: 1.34

Type: remote

Published: 2/12/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Risk Information


Risk Factor: High

Score: 7.4


Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:sun:solaris

Excluded KB Items: openwrt/blank_telnet_password

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 2/13/2007

Vulnerability Publication Date: 2/10/2007

Exploitable With


Metasploit (Sun Solaris Telnet Remote Authentication Bypass Vulnerability)

Reference Information

CVE: CVE-2007-0882

BID: 22512

CWE: 94