Solaris Zero-Day Telnet Exploit

The incident happened around two weeks back. But for one reason or the other, I have not been able to post about it. Pardon me, readers, for this negligence!!!

Recently, a zero-day exploit in the in.telnetd(1M) binary shipped with Solaris came to light.

For readers who are not aware of what a zero-day exploit is, let me first take a step back and explain what a zero-day exploit is. When a vulnerability is found in a piece of software, the announcement of the vulnerability goes online for the benefit of the vendor as well as people using the software. The vendor rushes to fix the vulnerability and release a patch to the software before the exploit (piece of software that exploits the vulnerability) is released to the public. The term "zero-day exploit" refers to an exploit which is released to the public (by the people/group who/that finds it) on the same day as the vulnerability or vendor patch.

The exploit for in.telnetd(1M) on Solaris was quite simple. If a Solaris machine had telnet access enabled, then anyone having network access to the machine could login to the machine as any user, without any password, using simply telnet.

Really, the exploit was as simple as issuing:
telnet -l "-froot" hostname/address ----> for root access

Actually, one can configure the Solaris machine to disallow remote login by root. If thats the case, one could give any username instead of "root" and login as a valid user.
Its easy to see how one could wreak havoc in such a case.

As soon as the news broke out on online forums, Sun engineers got to work on it. In fact, since the code was open, the poster actually pointed at the code that was messing up, and that speeded up the patch process. For a really good and interesting account of the patch process followed by Sun for the bug, read this blog posting by Alan Hargreaves, one of the Sun engineers working on the patch.

Now there were concerns as to how could such an exploit be overlooked in Solaris, especially since the same bug was identified on Unix in 1994. Sun engineer Casper Dik gives a really good explanation.

Anyway, Sun released the patch for the bug really fast, and I presume people around the world using Solaris would have installed it soon enough. One good point to notice is the fact that since OpenSolaris was open source, the exploit was found and then fixed really fast. One could argue that the open code could have contributed to the discovery of the exploit, but I would stress on the fact that the open code helped to find the fix fast as well. Bugs are present in software all the time, but fixing them and making them more robust is what counts more. So, making Solaris open source surely helped everyone!!!

For more details, read this.