Re: Solaris telnet vulnerability - how many on your network?

[Brad_Powell () amat com]

Vincent Archer <varcher () denyall com> wrote on 02/12/2007 04:51:07 AM:

I don't speak for Sun, but here are some hints that might help.
> OS packaging person here (the guy who defines the exact stripped version
> we install on customer appliance) did test with root, and it worked. I
> suspect it is dependent on whether root is enabled as allowed as a 
remote
> login or not (a setting I dimly remember being available on solaris 10
> years ago, I think).

For root login; there is a setting in /etc/default/login. If CONSOLE is 
set, then root can only login
on that device i.e. "CONSOLE=/dev/ttya" means "root" can only login on 
ttya device. Any other user via
telnet/ssh/whatever has to login as themselves and "su" to root.

This doesn't prevent telnet -l "-fbin", or -flp; for those accounts best 
bet is to change /etc/passwd for the shell of system-account users to 
/sbin/noshell or /bin/false (noshell just logs the entry and exists)

Of course disabling in.telnetd in /etc/inetd.conf (and doing a pkill -HUP 
inetd) if possible is a safe bet,
but some sites are forced to use telnetd.



Brad Powell
Sr. Security Manager
Information Security and Risk Management.
Global Information Services.
Applied Materials Inc.
Office 408- 563-1350

The content of this message is Applied Materials Confidential.  If you are 
not the intended recipient and have received this message in error, any 
use or distribution is prohibited. Please notify me immediately by reply 
e-mail and delete this message from your computer system. Thank you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/