Sun Solaris telnet authentication bypass (Telnet_User_Environment_Bypass)

About this signature or vulnerability

RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, RealSecure Desktop, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware:

This signature detects when a telnet client issues the 'telnet -l"-f<username>"' command. It looks for an Environment Option with the name of 'USER' and a value starting with '-f'.


Default risk level

High risk vulnerability  High

Sensors that have this signature

RealSecure Network: XPU 24.56, RealSecure Server Sensor: XPU 24.56, BlackICE PC Protection: 3.6cqb, BlackICE Server Protection: 3.6.cqb, IBM Security Server Protection for Windows: 1.0.914.1960, Proventia Network MFS: XPU 1.95, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia-G 1.1 and earlier: XPU 24.56, Proventia Network IDS: XPU 24.56, RealSecure Desktop: eqb, Proventia Server IPS for Linux technology: 1.95, Proventia Network IPS: XPU 1.95, Proventia Desktop: 1960, Virtual Server Protection for Vmware: 1.0

Systems affected

Sun Solaris: 10 SPARC, Sun Solaris: 10 x86

Type

Unauthorized Access Attempt

Vulnerability description

Sun Solaris could allow a remote attacker to bypass authentication, caused by an error in the telnet daemon (in.telnetd). A remote attacker could send a specially-crafted telnet login request to bypass authentication and gain unauthorized access to the system.

Note: Remote root login must be enabled to gain root privileges.

How to remove this vulnerability

Refer to Sun Alert ID: 102802 for upgrade or suggested workaround information. See References.

References

US-CERT Vulnerability Note VU#881872
Sun Solaris telnet authentication bypass vulnerability
http://www.kb.cert.org/vuls/id/881872

Full-Disclosure Mailing List, Mon Feb 12 2007 - 16:05:05 CST
Solaris telnet vulnberability - how many on your network?
http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0280.html

Sun Microsystems, Inc. Web site
Sun Microsystems
http://www.sun.com/

Full-Disclosure Mailing List, Sat Feb 10 2007 - 22:59:56 CST
"0day was the case that they gave me"
http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0218.html

FrSIRT/ADV-2007-0560
Sun Solaris Telnet Daemon Authentication Bypass Remote System Access Vulnerability
http://www.frsirt.com/english/advisories/2007/0560

Sun Alert ID: 102802
Security Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

US-CERT Technical Cyber Security Alert TA07-059A
Sun Solaris Telnet Worm
http://www.us-cert.gov/cas/techalerts/TA07-059A.html

Security Sun Alert Feed, 28 Feb 2007
Solaris in.telnetd worm seen in the wild + inoculation script
http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen

ISS X-Force
Sun Solaris telnet authentication bypass
http://www.iss.net/security_center/static/32434.php

CVE
CVE-2007-0882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882