Oh dear! The Solaris 10/11 telnet daemon has been exploited. Kcope posted the exploit to Full-Discloser (local mirror) this morning, and the worst part about it is that it doesn’t require any skill. If you can execute a command on the command line, you can exploit this vulnerability, which also means that it can easily be scripted. All you need to do is pass a ‘-fusername‘ as an argument to the –l option you get full access to the OS as the user specified except ‘root’. Here is a command line example:
telnet -l “-fbin” target_address
In my experience, I have seen the telnet daemon enabled on a lot of hosts that I have reviewed even if ssh is used.
I hear the sound of system administrators frantically disabling the telnet daemons throughout their Solaris environments. : )