| Nessus Plugin ID: 24323 | Name: Solaris 10 Forced Login Telnet Authentication Bypass |
| CVE References: CVE-2007-0882 (cve.mitre.org, nvd.nist.gov) |
| SANS/FBI TOP20 Reference: S3 (Annual Update 2007) |
| Group/Family: Gain a shell remotely |
| Risk: Critical |
Description: Synopsis :
It is possible to log into the remote system using telnet without
supplying any credentials
Description :
The remote version of telnet does not sanitize the user-supplied
'USER' environment variable. By supplying a specially malformed USER
environment variable, an attacker may force the remote telnet server
to believe that the user has already authenticated.
For instance, the following command :
telnet -l '-fbin' target.example.com
Will result in obtaining a shell with the privileges of the 'bin'
user.
See also :
http://lists.sans.org/pipermail/list/2007-February/025935.html
http://isc.sans.org/diary.html?storyid=2220
Solution :
Install patches 120068-02 (sparc) or 120069-02 (i386)
which are available from Sun.
Filter incoming to this port or disable the telnet service
and use SSH instead, or use inetadm to mitigate this
problem (see the link below).
/ CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
|
| Created: 2007-02-17 06:36:47 | Last Changed: 2009-11-01 21:33:38 |