Solaris 10 Forced Login Telnet Authentication Bypass

Critical Nessus Plugin ID 24323


It is possible to log into the remote system using telnet without supplying any credentials


The remote version of telnet does not sanitize the user-supplied 'USER' environment variable. By supplying a specially malformed USER environment variable, an attacker may force the remote telnet server to believe that the user has already authenticated.

For instance, the following command :

telnet -l '-fbin'

will result in obtaining a shell with the privileges of the 'bin' user.


Install patches 120068-02 (sparc) or 120069-02 (i386), which are available from Sun.

Filter incoming to this port or disable the telnet service and use SSH instead, or use inetadm to mitigate this problem (see the link below).

See Also

Plugin Details

Severity: Critical

ID: 24323

File Name: solaris10_telnet_env.nasl

Version: $Revision: 1.27 $

Type: remote

Published: 2007/02/12

Modified: 2016/12/09

Dependencies: 40354, 17975

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:sun:solaris

Excluded KB Items: openwrt/blank_telnet_password

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 2007/02/13

Vulnerability Publication Date: 2007/02/10

Exploitable With


Metasploit (Sun Solaris Telnet Remote Authentication Bypass Vulnerability)

Reference Information

CVE: CVE-2007-0882

BID: 22512

OSVDB: 31881

IAVB: 2007-B-0006

CWE: 94