Solaris 10 Forced Login Telnet Authentication Bypass
Critical Nessus Plugin ID 24323
SynopsisIt is possible to log into the remote system using telnet without supplying any credentials
DescriptionThe remote version of telnet does not sanitize the user-supplied 'USER' environment variable. By supplying a specially malformed USER environment variable, an attacker may force the remote telnet server to believe that the user has already authenticated.
For instance, the following command :
telnet -l '-fbin' target.example.com
will result in obtaining a shell with the privileges of the 'bin' user.
SolutionInstall patches 120068-02 (sparc) or 120069-02 (i386), which are available from Sun.
Filter incoming to this port or disable the telnet service and use SSH instead, or use inetadm to mitigate this problem (see the link below).