| VID |
14047 |
| Severity |
40 |
| Port |
23 |
| Protocol |
TCP |
| Class |
TELNET |
| Detailed Description |
The telnet server is vulnerable to an authentication bypass vulnerability via the 'USER' environement variable. The telnet daemon (in.telnetd) in Sun Solaris 10 and 11 could allow a remote attacker to bypass authentication, caused by improper validation of the user-supplied 'USER' environement variable. By supplying a specially malformed USER environment variable, a remote attacker could bypass authentication and gain unauthorized access to an affected system with the privileges of an arbitrary user (including the "root" user if the host is configured to accept telnet logins as root).
For example, by issueing the following command:
telnet -l "-fbin" targethost
You will obtain a shell with the privileges of the 'bin' user.
* References:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1
http://www.frsirt.com/english/advisories/2007/0560
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052358.html
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052324.html
http://www.kb.cert.org/vuls/id/881872
http://www.milw0rm.com/exploits/3293
http://www.securitytracker.com/id?1017625
http://secunia.com/advisories/24120
* Platforms Affected:
Sun Solaris 10
Sun Solaris 11 |
| Recommendation |
Install a patch (120068-02 (sparc) or 120069-02 (i386)) for this vulnerability or apply suggested workaround, as listed in Sun Alert Notification 102802 at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1 |
| Related URL |
CVE-2007-0882 (CVE) |
| Related URL |
22512 (SecurityFocus) |
| Related URL |
32434 (ISS) |
|
