http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html
Tested on Sol10, and it indeed works... Good thing we use SSH, right?!
http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-
disable.htmlTested on Sol10, and it indeed works... Good thing we use SSH, right?!
It works.
Credit to Johannes Ullrich at the SANS ISC.
I believe the vulnerability is that it is running telnet bu default.
From HD Moore:
"but this bug isnt -froot, its -fanythingbutroot =P"
A couple of updates and a summary digest of useful information shared from
all around on this vulnerability, for those of us trying to make sense of
what it means to our networks:
1. Sun released a patch (although it is not a final one). It can be found
on their site ( http://sunsolve.sun.com/tpatches - thanks to Casper Dik of
Sun, for those who have been following the discussion).
To quote: "the simplest possible fix on such short notice":
http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c?r2=3629&r1=2923
2. If you haven't already, I strongly recommend checking your network for
machines running telnet, and more specifcially, vulnerable to this
particular issue.
Several folks are speaking of third-party appliances running on Solaris,
as well as some back-end VoIP devices that have been confirmed as
vulnerable.
Apparently, telnet returns a different answer when this vulnerability is
used. We are not sure yet, but Noam Rathaus brought up the option that it
looks like the client responds with a "Won't Authentication Option" to the
server's "Do Authentication Option". This could perhaps be used to
actively detect the "attack".
3. If this solution is viable for you and you haven't already, ACLing
23/tcp at the border or from your user space may not be a bad idea, if it
won't kill anything. At least for now.
4. Bleeding Edge (ex Bleeding Snort) released snort signatures for this:
http://www.bleedingthreats.net/index.php/2007/02/12/solaris-remote-telnet-root-exploit-signature/
Quoting:
Gadi Evron wrote:
A couple of updates and a summary digest of useful information shared from
all around on this vulnerability, for those of us trying to make sense of
what it means to our networks:
Gadi,
This post appears to have been written for another mailing list (where it is probably on-topic). Why did you repost it to NANOG-L?
As so many of the providers here spent the day trying to figure out what
to do with this with little to no organized data. Much of the information
there has been gathered from other places.
Gadi.
...
2. If you haven't already, I strongly recommend checking your network for
machines running telnet, and more specifcially, vulnerable to this
particular issue.
NO. The telnet DAEMON. NOT telnet. *sigh* Too many releases
confusing the two.