A major flaw in Solaris 10 and 11's telnet application can be easily exploited, security researchers said today. Exploit code, meanwhile, has already been publicly posted.
According to both the SANS Institute's Internet Storm Center (ISC) and Symantec's DeepSight threat network, the telnet daemon passes switches directly to the login process which looks for a switch that allows root to login to any account without a password. "If your telnet daemon is running as root, it allows unauthenticated remote logins," said ISC's Donald Smith in an online alert.
Solaris 10 users should immediately disable telnet, according to Smith and a similar warning from Symantec. The daemon can be sidelined with the command: "svcadm disable telnet"
"The problem is that [telnet's] turned on by default," said David Maynor, CTO of Atlanta-based Errata Security. "Worse, a lot of people may block port 23 but leave it open internally. A Windows machine that's compromised [by other malware] could bounce to a Solaris system to grab that machine."
Exploit code has been publicly posted on at least one mailing list, as well as to the milw0rm.com Web site. Maynor characterized the exploit as not "requir[ing] any skill, any exploit knowledge, and [it] can be scripted for mass attacks."
Other researchers have noted that IBM's AIX operating system was nailed with a similar bug 10 years ago, but the flaw was overlooked by Sun. "It's amazing that no one's caught this before," said Maynor. "Expect mass scanning and possibly widespread exploitation."