Re: Solaris telnet vulnberability - how many on your network?
Nate Eldredge wrote:
I have now set up a virtual Solaris 8 box to test this with root access,
and it appears you are correct. When run as root, "login -f root"
presents a login prompt, just like login without arguments. So it is
not "supported" in the sense of having the Solaris 10 documented behavior.
I tested this as well on a Solaris 8 box. I did not get the behavior
you described.
# uname -a
SunOS skyhawk 5.8 Generic_108528-29 sun4u sparc SUNW,Sun-Blade-100
# /bin/login -froot
Not on system console
As you can see, it did not prompt me for a password. Obviously the -f
option is recognized and its semantics are implemented.
However telnet could not be used to exploit it in the same was a Solaris
10 was exploited.
Using "strings" to look at the getopt option list reveals that an
undocumented "-a" option also exists. I don't know what it does,
either. More material for the backdoor conspiracy theorists, I suppose.
Fortunately there doesn't appear to be a "-nsakey" option.
As far as the -a option, it does not do anything. The OpenSolaris
source says:
case 'a':
break;
I'm guessing that this behavior is left over from the older versions of
Solaris.
--
Edsel Adap
edsel@xxxxxxxx
http://www.adap.org/~edsel/ LINUX - the choice of the GNU
generation