Sun Solaris telnet authentication bypass (Telnet_User_Environment_Bypass)

About this signature or vulnerability

Proventia Network IPS, RealSecure Desktop, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects when a telnet client issues the 'telnet -l"-f<username>"' command. It looks for an Environment Option with the name of 'USER' and a value starting with '-f'.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 1.95, RealSecure Desktop: eqb, Proventia Network IDS: XPU 24.56, Proventia Desktop: 1960, Proventia-G 1.1 and earlier: XPU 24.56, Proventia Network MFS: XPU 1.95, IBM Security Server Protection for Windows: 1.0.914.1960, IBM Security Server Protection for Windows: 2.1.14.2400, RealSecure Network: XPU 24.56, RealSecure Server Sensor: XPU 24.56, BlackICE PC Protection: 3.6cqb, BlackICE Server Protection: 3.6.cqb, Proventia Server IPS for Linux technology: 1.95, Virtual Server Protection for Vmware: 1.0

Systems affected

Sun Solaris: 10 SPARC, Sun Solaris: 10 x86

Type

Unauthorized Access Attempt

Vulnerability description

Sun Solaris could allow a remote attacker to bypass authentication, caused by an error in the telnet daemon (in.telnetd). A remote attacker could send a specially-crafted telnet login request to bypass authentication and gain unauthorized access to the system.

Note: Remote root login must be enabled to gain root privileges.

How to remove this vulnerability

Refer to Sun Alert ID: 102802 for upgrade or suggested workaround information. See References.

References

US-CERT Vulnerability Note VU#881872
Sun Solaris telnet authentication bypass vulnerability
http://www.kb.cert.org/vuls/id/881872

Full-Disclosure Mailing List, Mon Feb 12 2007 - 16:05:05 CST
Solaris telnet vulnberability - how many on your network?
http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0280.html

Sun Microsystems, Inc. Web site
Sun Microsystems
http://www.sun.com/

Full-Disclosure Mailing List, Sat Feb 10 2007 - 22:59:56 CST
"0day was the case that they gave me"
http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0218.html

FrSIRT/ADV-2007-0560
Sun Solaris Telnet Daemon Authentication Bypass Remote System Access Vulnerability
http://www.frsirt.com/english/advisories/2007/0560

Sun Alert ID: 102802
Security Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

US-CERT Technical Cyber Security Alert TA07-059A
Sun Solaris Telnet Worm
http://www.us-cert.gov/cas/techalerts/TA07-059A.html

Security Sun Alert Feed, 28 Feb 2007
Solaris in.telnetd worm seen in the wild + inoculation script
http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen

ISS X-Force
Sun Solaris telnet authentication bypass
http://www.iss.net/security_center/static/32434.php

CVE
CVE-2007-0882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882