ATTENTION SOLARIS ADMINS
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: ATTENTION SOLARIS ADMINS

  1. #1
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914

    ATTENTION SOLARIS ADMINS

    I just threw up a blog post with all the relevant details (http://www.computerdefense.org/?p=258). Needless to say there's a new 0-day in the Solaris telnet daemon. It's rather simple to bypass and could be remotely exploited by my grandmother... If you're running telnet still.. Disable it.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member Syini666's Avatar
    Join Date
    Aug 2001
    Posts
    551
    HT wouldn't you agree however that anybody still using telnet for anything other than a bad joke deserves what they get in this case, since its standard knowledge how much telnet sucks? And wow what a short exploit, perhaps a record setter?
    You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  3. #3
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Quote Originally Posted by Syini666
    HT wouldn't you agree however that anybody still using telnet for anything other than a bad joke deserves what they get in this case, since its standard knowledge how much telnet sucks? And wow what a short exploit, perhaps a record setter?
    Telnet is considered an inherent security risk because of the lack of encryption... (among other things)... but there's always a chance that someone could be running ssl-telnet or krb-telnet. There are also some situtations where telnet is almost "required" but is sometimes an ease of use thing for people...

    I agree though that in an environment with any sense of security you probably *shouldn't* be running telnet... but I don't agree that they deserve what they get...
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    anybody still using telnet for anything other than a bad joke deserves what they get
    Not really, no. I have lots of legacy infrastructure hardware that only accept telnet connections. Likeiwse I know of a fair amount of other people who are in the same boat.....

    'Because they use telnet' is not a valid answer when someone asks you why something should be upgraded.

    Anyone who works or has worked in a corperate enviroment will always find themselves using telent from time to time.....
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I have to argue nokia's corner on this one. Whilst I would agree that Telnet would not be your application of choice, that implies that you actually have a choice?

    Let's face it folks, legacy systems can be a real PITA if you cannot get the budget/resouces to replace them?

    My view is that Telnet is fine, provided that it is used internally. which is what I believe it was its original intention?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Quote Originally Posted by nihil

    My view is that Telnet is fine, provided that it is used internally. which is what I believe it was its original intention?

    I don't know that I agree with that... on your internal network is where you are subject to sniffing... we all know, that unless you're some big hub or at an ISP, you're not going to be sniffing internet traffic.... Which eliminates the plaintext problem for the most part...

    As for legacy systems... We actually had (and it took considerable effort) SSH running on SunOS 4... You can get it on a lot of systems... but yes there's the occasional system that you have to have telnet running on... Those systems, however, should have access controls in place... IP address limitations, etc.... that should shield them from vulnerabilities in telnet, such as this one..
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    HT~ ,

    Sorry mate, that was a rather slack post on my part. I was referring to home, and SOHO type environments where everyone is "trusted".

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  8. #8
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    If you have someone sniffing your internal traffic, using telent is the least of your worries
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    That is very true.................never let an HR problem become an IT one
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Quote Originally Posted by Nokia
    If you have someone sniffing your internal traffic, using telent is the least of your worries
    If proper protocols are in place then it shouldn't be too much of a bother to have someone sniffing on your network...

    There are places where detecting sniffing is going to be impossible... and I can get you that employees at lost of companies play with sniffers.. or college students...

    I would say that telnet running is a bigger concern than people sniffing... either way the environment is probably not properly secured (so it probably becomes a moot point)...
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Similar Threads

  1. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 08:37 PM
  2. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 07:01 AM
  3. x86 Solaris free!
    By el-half in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: December 12th, 2003, 12:25 PM
  4. solaris sadmind again
    By NullDevice in forum *nix Security Discussions
    Replies: 0
    Last Post: September 17th, 2003, 09:31 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides