×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Worm Exploiting Solaris Telnetd Vulnerability

Zonk posted more than 7 years ago | from the beware-of-rotten-fruit dept.

Security 164

MichaelSmith writes "Several news sites are reporting that a worm is starting to exploit the Solaris Telnet 0-day vulnerability. By adding simple text to the Telnet command, the system will skip asking for a username and password. If the systems are installed out of the box, they automatically come Telnet-enabled. 'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday. "One hopes that there aren't that many publicly reachable Solaris systems running telnet," ISC staffer Joel Esler wrote.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

164 comments

Yep. (4, Insightful)

AltGrendel (175092) | more than 7 years ago | (#18207766)

That's one of the first things any good admin turns off.

Use SSH.

...oh, and don't forget to wear your raincoat.

Re:Yep. (4, Insightful)

fm6 (162816) | more than 7 years ago | (#18207892)

Yeah, that was my response when I first heard of this bug/exploit. But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.

And note that this worm is enabled by a bug in Solaris's implementation of telnet, not by telnet itself. A similar bug in ssh would have had the same effect.

Re:Yep. (3, Funny)

Venik (915777) | more than 7 years ago | (#18208146)

I think the real question is: should Solaris telnetd have such an immense security hole?

Re:Yep. (0, Flamebait)

Random Destruction (866027) | more than 7 years ago | (#18208228)

what an idiotic question

Re:Yep. (1)

ArcherB (796902) | more than 7 years ago | (#18208632)

-->I think the real question is: should Solaris telnetd have such an immense security hole?

what an idiotic question


I think the question was rhetorical.

My question is: Who the hell still uses telnet? I don't even use telnet on my LAN.

Re:Yep. (0)

Anonymous Coward | more than 7 years ago | (#18208416)

Ummm... no?

Re:Yep. (1)

fm6 (162816) | more than 7 years ago | (#18209346)

No, the real question is: should I pay attention to a post stating the obvious?

Re:Yep. (2, Interesting)

ray-auch (454705) | more than 7 years ago | (#18208324)

But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.

This is Sun. Remember "+" in hosts.equiv ? They deliberately shipped with a known insecure default config in order to reduce support costs / complaints ("ease-of-use" was allegedly considered more important than security).

Re:Yep. (2, Insightful)

fm6 (162816) | more than 7 years ago | (#18209406)

Putting ease of use ahead of security is hardly unique to Sun. Actually, this kind of thing isn't even an ease of use issue. Somebody gets a customer complaint, they see a fix, and they implement it without thinking through the security implications. Happens every day — usually several times.

Re:Yep. (1)

djh101010 (656795) | more than 7 years ago | (#18208446)

Yeah, that was my response when I first heard of this bug/exploit. But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.

Serious questions: 1. Who ships with telnet enabled? Certainly not Apple or any of the Linux distros I've used. and 2. Who uses Unix systems with the default build installed by Sun? Do they even _come_ with an OS anymore?

Re:Yep. (0)

Anonymous Coward | more than 7 years ago | (#18208720)

Serious answers:

1: Ummm, Solaris ships with telnet enabled. Did you see the headline of the article you are posting in regards to?

2: Many people, or there would be no worm, if you want a concrete example then look elsewhere.

Re:Yep. (1)

djh101010 (656795) | more than 7 years ago | (#18209600)

Serious answers:

1: Ummm, Solaris ships with telnet enabled. Did you see the headline of the article you are posting in regards to?
Ummm, No, it doesn't. But I've only got about 1000 of 'em to use as a sample size so maybe my experience is too limited.

2: Many people, or there would be no worm, if you want a concrete example then look elsewhere.
Your (2) depends on your (1) to be true, and I suspect that it is not.

As others have pointed out, many of whom even stand behind their statements with their identity, the admin has to specifically decide they want telnet enabled. Exposing telnet to anything, especially the public internet, has been widely regarded as an Astonishingly Bad Idea for many years.

Re:Yep. (0)

Anonymous Coward | more than 7 years ago | (#18209858)

Um yes it does. If you have 1000 machines you probably have an image, jumpstart installation, custom installer, or possibly newer OS CDs/DVDs. The admin, since its probably not you, also could have disabled it after the fact.

Telnet has been enabled by default for a long time on the default installs going back quite a ways on up well into several solaris 10 sub-releases.

Re:Yep. (1)

G00F (241765) | more than 7 years ago | (#18208846)

"Yeah, that was my response when I first heard of this bug/exploit."

Eh? My response was, who cares, no one uses it, but I'll check the top leevl comments to see if there was anything interesting or insightfull. I guess not ;)

Re:Yep. (1)

fm6 (162816) | more than 7 years ago | (#18209496)

Typical Slashdotter provincialism. In the real world, "No one I know" != "No one". And I'm guessing you don't run a data center or anything like that. Probably the fanciest system you've ever seen is your big brother's game machine.

please take this into account (1)

Animixer (134376) | more than 7 years ago | (#18209508)

#1 - By default, you can never log in with root remotely via any means (only via an su). You'll note that /etc/default/login by default restricts root logins to the local console.

#2 - Any admin worth his/her salt will disable anything not required before making a system publicly accessable. This is not a consumer OS so people should be expected to have a clue.

#3 - Less salty admins will find that new installs of Solaris 10 will have a checkbox that restricts remote access to ssh only unless they specifically open the whole system up.
t
I'd imagine virtually all Solaris deployments are done via a custom JumpStart configuration anyways, and the primary admin of that would have all the patches and lockdowns scripted in to the finish scripts. I do this for a lab environment and it works well.

Re:Yep. (0)

Anonymous Coward | more than 7 years ago | (#18208142)

Certainly SSH should be used instead. It's scary that this thing is propogating at all because;

1. Telnet should be turned off. It's insecure and everyone should have moved to SSH years ago.
2. The Solaris boxes should all be immune since a patch has been around for decent amount of time.
3. These networks should all have firewalls on them which should block telnet if it is for some reason being used internally, or someone did forget to patch it or turn it off.

Did all the PHBs get rid of all their decent administrators? This thing should not be spreading at all now. It's a very sad state of affairs that it is.

Re:Yep. (1)

qwijibo (101731) | more than 7 years ago | (#18208624)

Yes, they did. In PHBthink, it's cheaper to bring in a consultant at any cost when a problem occurs instead of spending the money on maintenance. The results of the money spent on maintenance are invisible, whereas consultants address known, specific problems. I think the management-by-russian-roulette philosophy is all the rage in MBA schools now.

Re:Yep. (1)

Afecks (899057) | more than 7 years ago | (#18208168)

A good Windows admin has a router, firewall, anti-virus, automatic updates and a 3rd party browser. If that's not a good argument against the thousands of Windows zombies out there then it's not a good argument for you either.

Re:Yep. (3, Insightful)

iamacat (583406) | more than 7 years ago | (#18208380)

ssh is actually more complex than telnet and more likely to have exploitable bugs - there were a couple featured on slashdot in fact. ssh is for protection of the user, not the host system. It can make intrusion recovery more difficult, as you will not be able to see what the attacker is doing using network monitoring tools. Sun just got sloppy/unlucky with this one by unnecessarily mucking with login. Don't they teach in school to not add command line options/environment variables to a setuid program?

MOD PARENT UP (1)

Schraegstrichpunkt (931443) | more than 7 years ago | (#18208644)

Exactly. All these comments to the effect of "telnetd should be off by default" are missing the point. Yes, telnetd should be off by default, but that's just so that dumb users don't get used to typing in their passwords over a cleartext connection.

It makes me wonder about how much original thought there is on Slashdot, versus how many comments are just clueless people using technical terms in a syntactically-correct fashion without really understanding what they're saying.

If I went back into the Slashdot archives for around 1999, I wouldn't be surprised if I could find a ton of comments to the effect of "only stupid people write down their passwords".

Re:MOD PARENT UP (1)

amper (33785) | more than 7 years ago | (#18209924)

What really makes me laugh is how many people think that running sshd instead of telnetd is somehow going to magically give you protection from being hacked.

For those of you who don't realize this...you can break into *any* vanilla sshd by guessing the right password...just the same as if you were running telnetd. The *only* difference is somewhat greater protection over having your password sniffed over the network while in transit. Unless, of course, you're running some sort of PKI infrastructure with client certificate authentication, or some such...which very, very few people ever implement.

Exercise for the reader (at least, those of us who actually have root access to real servers connected to the Internet): Go take a look at your authentication logs to see how many bots out there are trying to guess your ssh password. Solution #1: Put an externally configurable firewall on your network, and only enable ssh traffic when you need access. Then shut the port when you're done. Never rely on a single layer of security.

Besides which, the possibility of your password *actually getting sniffed* is extremely small, unless your traffic is being routed through already insecure systems, which is a highly unlikely possibility.

The sky is not falling. But you should be aware that sometimes things do drop out of the sky and land on people.

Re:MOD PARENT UP (1)

Red Flayer (890720) | more than 7 years ago | (#18210016)

It makes me wonder about how much original thought there is on Slashdot, versus how many comments are just clueless people using technical terms in a syntactically-correct fashion without really understanding what they're saying.

You must be new here.

If I went back into the Slashdot archives for around 1999, I wouldn't be surprised if I could find a ton of comments to the effect of "only stupid people write down their passwords".

That's because obvious truths == positive moderation. Inobvious truths and original thought aren't recognized by most moderators.

This is a product of the moderation system, which rewards both groupthink and stating the obvious. That said, I've yet to see anything nearly as good as the slashdot system for moderation.

Oh, and browsing at +4 certainly helps a lot -- really increases the signal to noise ratio.

Re:Yep. (1)

drinkypoo (153816) | more than 7 years ago | (#18209766)

ssh is actually more complex than telnet and more likely to have exploitable bugs - there were a couple featured on slashdot in fact. ssh is for protection of the user, not the host system. ssh is for protection of the user, not the host system.

Keeping user accounts secure provides for the protection of the system. It's usually a lot easier to escalate from a local user to root than to simply get remote root.

It can make intrusion recovery more difficult, as you will not be able to see what the attacker is doing using network monitoring tools.

That would be intrusion detection, not recovery. Recovery is after-the-fact, not during. And in any case, it is possible to snoop the tty instead of the session, so long as you have access to the machine yourself. I know this from personal experience because this jackass who lives in Santa Cruz called 'WayHigh' who gave me a shell snooped on an irc session I was using on his system, talking to my girlfriend (who was his ex, kinda. I think they fucked once.)

Not that you all needed all that data, but I like to smear spying assholes any chance I get and giving details is important.

No system should ever ship with any unencrypted logins turned on by default. Not in HTTP auth, not in logging into the system, not anywhere.

Re:Yep. (1)

iamacat (583406) | more than 7 years ago | (#18210134)

So in the case you described, encryption would benefit you and not the owner of the system. Intruder could use a shell without a tty and ptrace his own processes so that you can not. It's much more reliable to log telnet traffic from an independent system that doesn't allow any remote access. If I need to give people accounts with potentially dangerous privileges for them to do work, I might prefer telnet so that, if someone "fucks once" with my database, I can discover who it was. If I am chatting with my wife, I prefer SILC with client/server and peer-to-peer public key encryption. If I am dealing with embedded devices with 16Mhz CPUs, I don't have much of a choice. It all depends on the use case.

Correction (2, Interesting)

Megane (129182) | more than 7 years ago | (#18208408)

Correction: that's one of the first things any good distro never turns on.

Linux and BSD had it for a long time before Solaris had it in the standard install. And you can't even enable telnetd on OS X since about 10.2 or so, unless you know how to edit the right config files in /etc.

Re:Yep. (0)

Anonymous Coward | more than 7 years ago | (#18209336)

How come nobody tagged this with "haha"? Where are all the kids who jump on these things and say stuff like "OMGz0r! $un sux! They are so insecure and don't care they only want your money!"

Re:Yep. (1)

Afrosheen (42464) | more than 7 years ago | (#18209904)

Most linux distros stopped enabling the telnet daemon post-install years ago. Now, however, even the big vendors like Redhat leave PermitRootLogin=yes in the config file for the ssh daemon which is nearly as bad. It's on my checklist as the first thing to fix post-install on new servers.

Re:Yep. (0)

Anonymous Coward | more than 7 years ago | (#18210204)

Turn it off? Why should you even have to do that?
Name a BSD or Linux distro that as it turned ON by default?
Sun is a fat, old dinosaur. Anybody running telnetd is a retard.

Sun don't shine (0, Funny)

Anonymous Coward | more than 7 years ago | (#18207786)

I hate when I have worms where the Sun don't shine.

Re:Sun don't shine (0)

Anonymous Coward | more than 7 years ago | (#18207812)

OMG, I looked away from the sun and accidently spied Uranus

Free software to the rescue? (1)

dosius (230542) | more than 7 years ago | (#18207806)

What about replacing telnetd with openbsd's?

-uso.

Re:Free software to the rescue? (2, Informative)

ebvwfbw (864834) | more than 7 years ago | (#18208244)

What about replacing telnetd with openbsd's?

It won't help because the vulnerability is in login (that telnetd calls) and not with telenetd. Since this is almost a month old and everyone should know by now, here it is -

telnet -l "-froot" [hostname]

Re:Free software to the rescue? (0)

Anonymous Coward | more than 7 years ago | (#18209026)

"almost a month old"??? It is more than a decade old!!

Mine is! (2, Insightful)

Doctor Memory (6336) | more than 7 years ago | (#18207846)

But it's only reachable via ports 80 and 443. And I installed patch #120069-02 a couple of weeks ago. In fact, I already installed the -03 version of that patch. If you keep up with your security patches, it's really not a problem. Of course, this is easy for me to say, I have one workstation; I'm sure that for sites with dozens (or hundreds) of servers, it's more problematic. I also STR that patch 120069 used to require a reboot after installation, which makes it a bit more of a hassle to install (I usually save those for Fridays, when I can install them and then walk away while the box reboots).

Re:Mine is! (1)

tcopeland (32225) | more than 7 years ago | (#18207948)

> I'm sure that for sites with dozens (or hundreds) of servers, it's more problematic

Although in those cases I'd hope that they'd have everything nicely automated so that pushing out updates is just a matter running some utility that executes the update on all the machines. As Zed Shaw [zedshaw.com] says, "if you're ssh'ing in to your servers more than once a week, you haven't automated things enough."

Of course there will be exceptions - custom installations and whatnot - but hopefully a change like this could just be shoved right out there.

Re:Mine is! (1)

fm6 (162816) | more than 7 years ago | (#18208230)

As Zed Shaw [zedshaw.com] says, "if you're ssh'ing in to your servers more than once a week, you haven't automated things enough."

Dude, many data centers have thousands of servers. Sun itself sells a blade system [sun.com] that puts 20 servers in a single rack. In that kind of environment, if you ever ssh into your systems, you haven't automated things enough!

Re:Mine is! (1)

amper (33785) | more than 7 years ago | (#18209666)

Not to nitpick, but did you mean 20 servers in a single rack space? Because if you didn't, 20 servers in a single, standard 42U rack isn't impressive, considering that with any ol' 1U server, you can fit 42 of them in the same space, right? OTOH, 20 servers in 1U *would* be impressive.

Re:Mine is! (1)

fm6 (162816) | more than 7 years ago | (#18209864)

Oops. You're quite correct. Though it should be noted that each of the blades in the system I mentioned is much more powerful than any 1U system.

Re:Mine is! (1)

Nonac (132029) | more than 7 years ago | (#18207964)

> If you keep up with your security patches, it's really not a problem.

I dare say that most sysadmins who keep up with patches don't have telnetd running.

Re:Mine is! (1)

multipartmixed (163409) | more than 7 years ago | (#18209160)

I'm a sparc user so I don't have 120069, but 120068-03 "SunOS 5.10: in.telnetd patch" is listed as "Install Requirements: NA". Presumably these are the same patch. ...Interesting, -03 seems to fix 6524404 which says "rebootafter property is not necessary".

Looks like -02 says it required a reboot but didn't; -03 does it right (I didn't get -02, I just disabled in.telnetd).

-02 is quite hiliarious, it fixes bug "6523815 LARGE vulnerability in telnetd"

Re:Mine is! (1)

xsbellx (94649) | more than 7 years ago | (#18209590)

While I agree with the philosophy of of your post, the real world has a slightly different opinion. Let's take an example:

1) You have 1200 Solaris production systems running various levels of Solaris, 7 through 10. You have an identical test environment, same 1200 severs running exactly the same version of everything. Add to this 700 odd UAT systems and about 500 dev systems. So now we are looking at 3600 servers. Now it's time to throw some bureaucracy into the mix.

2) Patches must be TESTED in the development environment first - 2 days of effort to go through the standard patch test suite for all 500 servers.

3) After successfully testing in DEV, it's off to the UAT world. Little more in-depth test suite and more change management crap. 3 days to get through UAT provided you do not have an issue with scheduling.

4) Great, now we can move on to the PTE (Production Test Environment). First and foremost, your change window is from 08:00 until 22:00 Monday. If you want a change to this window, it gets escalated through 4 levels of management on our side and, lucky us, 5 levels on the client side. The testing here is more extensive than in the actual Prod environment. First, a baseline performance test must be completed (2 hours). The patch is applied and tested. Depending on the systems, this can be time consuming (think clustered systems and ALL of the failover scenarios must be tested). Now to make sure the patch didn't screw anything up, run another perf baseline (2 hours).

5) After the patch has been in-place for at least 72 hours, it can be applied to Prod. Oh, your change window for Prod is 03:00 to 07:00 every other Sunday. Want to change either the window or the 72 hour cooling off period, it's now 5 levels of management on our side and the same 5 on the client side along with sign off from the CIO and one senior/executive VP on the client side. And the same testing with the exception of performance baselining must be completed. This includes all of the failover scenarios for clusters.

Oh and don't forget to add somewhere between 60 and 80 hours of work documenting the WHOLE process and answering moronic questions in meetings.

Thankfully I get paid OT for this sort of shit.

I might have missed something.... (3, Informative)

8127972 (73495) | more than 7 years ago | (#18207848)

Re:I might have missed something.... (1)

pizza_milkshake (580452) | more than 7 years ago | (#18208568)

yes, but not everyone applies every patch the instant it becomes available.

Re:I might have missed something.... (1)

diegocgteleline.es (653730) | more than 7 years ago | (#18208880)

Duh, you mean that sun doesn't have automatic software updates turned by default? It's a stupid thing to do, even for servers - and "admins must test the update first" is not an excuse, I'd rather have something breaking than a security hole

Re:I might have missed something.... (1)

Doctor Memory (6336) | more than 7 years ago | (#18209540)

I'd rather have something breaking than a security hole
I doubt you'll find many sysadmins agreeing with you there. As someone else mentioned, most sysadmins will already have disabled telnetd. So to install a patch and reboot their systems without warning (possibly during the work day) seems like a little harsh treatment for somebody who's already mitigated the threat.

Re:I might have missed something.... (1)

boner (27505) | more than 7 years ago | (#18209678)

that is utterly stupid... you'd rather have an automatic update break your box so you can spend hours trying to find out how???

For a reasonable commercial system downtime is measured in thousands of dollars of lost revenue per hour. You will want to update your post after you have had a CEO, CTO, CFO etc... throwing a hissy fit because the system is down... 'automatic update' as an excuse will get you fired, and rightly so.

Re:I might have missed something.... (1)

djh101010 (656795) | more than 7 years ago | (#18209774)

Duh, you mean that sun doesn't have automatic software updates turned by default? It's a stupid thing to do, even for servers - and "admins must test the update first" is not an excuse, I'd rather have something breaking than a security hole
In the real world, things need to be tested and run through the dev/stage/prod environments. This isn't Joe's Bait Shop we're talking about...

Re:I might have missed something.... (1)

diegocgteleline.es (653730) | more than 7 years ago | (#18210146)

This isn't Joe's Bait Shop we're talking about...

Which is why I wouldn't like to have a system that doesn't patches security holes ASAP.

It's been a long day... (5, Insightful)

Odiumjunkie (926074) | more than 7 years ago | (#18207868)

So, just to be clear, this story, posted on March 2nd, is reporting on a worm which has started exploiting a zero day vulnerability that was covered by slashdot on February 12th?

Isn't twenty days long enough to disable a remotely exploitable and totally unnecessery, unsafe service that no admin in his right mind should have enabled on a box connected to the net anyway?

Re:It's been a long day... (3, Funny)

Cheapy (809643) | more than 7 years ago | (#18207906)

Sysadmins have been search this entire time to find a Solaris box to fix.

They are still searching.

Re:It's been a long day... (1)

Billosaur (927319) | more than 7 years ago | (#18207938)

Isn't twenty days long enough to disable a remotely exploitable and totally unnecessery, unsafe service that no admin in his right mind should have enabled on a box connected to the net anyway?

Yes, but some people are a little slow... others are just overworked... and then there are the stupid ones...

Honestly, does anybody have a use for telnet anymore? It really shouldn't be enabled by default anyway. I guess if your system isn't connected to the Internet you have no fears, but who would do that?

Re:It's been a long day... (1)

qwijibo (101731) | more than 7 years ago | (#18208688)

I work for a major bank that leaves telnet on all over the place, in spite of the 1997 company policy of replacing it with SSH as soon as possible. Sensible configuration and maintenance are impossible when business people micromanage the technology side. You'd think that putting a gun to their head would be enough to make people do it, but you'd be wrong. They're one step ahead of us all. Business people cannot be harmed by a bullet to the brain. They're already brain dead.

Re:It's been a long day... (2, Interesting)

dknj (441802) | more than 7 years ago | (#18208478)

Judging by your UID, i will assume you are new here and new to IT in general. In The Real World(tm), patches are not applied as soon as they are released. You must test them, most managers are clueless to OS level patches and require the same testing process that, say, application testing goes through. I have seen patches take a week to be approved and put into production and I have worked with companies that have a 30 day delayed patch release schedule.

With that said, no one should be running any insecure applications in production..... but people/organizations do. X servers running as root with all hosts allowed to connect. Passwords with abc123. This is entirely the fault of the admin, but sometimes cannot be altered without beauratic hoopla (all you can do in this case is CYA and make it visible to upper management).

Lastly to quell all these "ZOMG SOLARIS IS TEH SUX0R" comments.. Solaris 10 only enables telnet when the admin specifically requests it during installation. Let me say it again, the admin has a choice to install telnet and enable it during installation. Plus who installs Solaris by hand when you have Flash Archives/Jumpstart to do the work for you?>

Re:It's been a long day... (0)

Anonymous Coward | more than 7 years ago | (#18208690)

It kinda makes me wonder did the editors held off on posting the story for some reason. I believe it has been in the "Firehose" for a while now.

Because we know if it had been a flaw in a Microsoft product the story would have been posted not 5 minutes after the bug was discovered.

D'Oh! (1)

bigtomrodney (993427) | more than 7 years ago | (#18207910)

As a complete Unix fan boy I have to say this is one instance where we have to step down and put our hands up to say "Okay, we're sorry, we screwed up". Even XP managed to turn off its telnet service in Service Pack 1!

Should have happened... (4, Insightful)

alexhs (877055) | more than 7 years ago | (#18207944)

What about this argument that OSs other than Microsoft ones don't get malware developped for them because they don't have significant marketshare, again ?

Re:Should have happened... (1)

the_humeister (922869) | more than 7 years ago | (#18208412)

It's not just marketshare. Being easily exploited and high profile also need to fit the bill too. Do we ever hear about exploits for QNX, BeOS, OS/2, Minix, etc? At least we don't hear about them on slashdot.

telwhat? (2, Funny)

glwtta (532858) | more than 7 years ago | (#18207980)

Tell who?

What year is it?

Re:telwhat? (0)

Anonymous Coward | more than 7 years ago | (#18209442)

It must be MS tel.NET since the article is about a security issue and this is Slashdot. But sorry, I have no idea what year it is.

Other Telnet vulnerabilities (2, Insightful)

Flying pig (925874) | more than 7 years ago | (#18207988)

Amazing but true - there are printers on some networks which are accessible over the public Internet and which have their telnet ports exposed. I'm obviously not spelling out the implications here, but some people need the proverbial rocket up the backside.

What proverb is that? (2, Informative)

SanityInAnarchy (655584) | more than 7 years ago | (#18208152)

proverbial rocket up the backside.

I'm pretty sure I never heard my mother say, "Son, if you ever expose a Telnet port to the Internet, I'll fire a rocket up your ass!"

Re:What proverb is that? (0)

Anonymous Coward | more than 7 years ago | (#18208282)

Actually, that may be the first time that phrase has ever been said! Er ... typed. You get the idea.

Re:What proverb is that? (1)

Elm Tree (17570) | more than 7 years ago | (#18208294)

You're lucky! My mother flipped when she found out I'd exposed my... "ports" on the internet.

Re:What proverb is that? (1)

Maximum Prophet (716608) | more than 7 years ago | (#18208368)

Well, that would be Bob 37:527 "Fear the rocket, and keep your ports closed, lest your ass gets burnt."
Bob 37:528 goes on to say. "Close down all your ports, and only open the ones truely needed, or the you will learn why you should fear the rocket."

Re:Other Telnet vulnerabilities (0)

Anonymous Coward | more than 7 years ago | (#18208386)

Yeah buddy, a client of ours that we took over awhile ago had the same thing. We were doing just a basic security audit of their perimeter, and I found a static NAT for a printer!?

You could view the web interface from anywhere in the world! Let's just say I closed that hole pretty fucking quick. It's amazing what some companies do for ease of use. Jesus, doesn't anyone fucking use a VPN?

Telnet for transparency? (4, Interesting)

Anonymous Coward | more than 7 years ago | (#18207990)

A while ago I found a strange comment here about why telnet was still used, even by security-knowledgeable IT department. The comment was saying this:

Large financial institutions in Europe use telnet, as use of encryption is restricted on their trusted networks, for reasons of transparency to the stock regulating authorities. (Googling for this phrase should get you the /. comment)

If this is true (and not the post of a random troll), can anyone shed some light on this? For it seems very strange... There are many other way to provide transparency to the financial authorities without having to compromise your network no!?

Re:Telnet for transparency? (0)

Anonymous Coward | more than 7 years ago | (#18208458)

If they aren't doing that they should be. It's on a secured network. Using telnet they can have a tiny 10-line program that samples tcpdump for randomness and automatically flags the vast majority of intruders in realtime. They can have a recorder with a rolling log (ie spiralog on vms or zfs on sun) that can store X amount of traffic that after the fact can be analyzed completely, aside from whatever scrabling some intruder is using of course.

Re:Telnet for transparency? (1)

VWJedi (972839) | more than 7 years ago | (#18209028)

Large financial institutions in Europe use telnet, as use of encryption is restricted on their trusted networks, for reasons of transparency to the stock regulating authorities.

I think the key phrase here is trusted network . Unless "the Internet" is a trusted network or they don't properly firewall their trusted network, they should be fine.

A new box won't have this problem... (2, Insightful)

kenh (9056) | more than 7 years ago | (#18208034)

This is not present in the Update 3 of Solaris, released 11/06 - that prompts the user to enable "network services" if they like, but warns that will expose the system to problems. One of those problems is the famously insecure telnetd service. If you say "No" telnetd is not installed/activated - and "No" is the default.

Existing boxes need to fix this, but a patch has been out for a while - are we dealing with the "short bus" hackers that it took this long to actually exploit? Why, oh why, doesn't Solaris warrant better hackers? ;^)

Re:A new box won't have this problem... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18208210)

Check again. In update 3, you have to choose the checkbox other than the default
to disable services!

Computer Security (1)

huckamania (533052) | more than 7 years ago | (#18208052)

...once again proves to be an oxymoron.

It's such a joke that every one claims to be more secure then the next guy. But really they mean if you turn everything off and patch your system every day. That's what a 0 day exploit means. You have to patch every day or you could be at risk. Assuming there is a patch.

Having a patch isn't even that great of a deal. The patch usually provides the problem and then it's off to the races. How long to patch X number of systems versus how long to write an exploit. Even if you are 1% of the market, it's a losing race for the patchers.

Then there are all of the poor orphaned systems out there that don't have any one to maintain them. Who will patch these poor unfortunates? No one. The maintainers got laid off or found a better job and those systems will always be vulnerable.

The only time a computer is secure these days is when the network cable is unplugged and/or the on/off switch is off.

And don't even get me started on the Web of Lies...

Re:Computer Security (2, Interesting)

SanityInAnarchy (655584) | more than 7 years ago | (#18208434)

It's such a joke that every one claims to be more secure then the next guy. But really they mean if you turn everything off and patch your system every day.

Which is the default, these days.

That's what a 0 day exploit means. You have to patch every day or you could be at risk.

No, a 0 day exploit means even if you patch every day, you're still at risk. But you know what? You're at risk every day simply by being alive. You could be hit by a meteor the next second! Oh noes!

Grow up and stop fearmongering. There's plenty of real security threats without saying "Everyone's insecure!"

Having a patch isn't even that great of a deal. The patch usually provides the problem and then it's off to the races.

I'm sorry, what? The patch provides the problem... I think I know what you mean, but this just makes you sound like an idiot. The patch fixes the problem. It may provide new problems, but it fixes the ones it's meant to fix.

How long to patch X number of systems versus how long to write an exploit. Even if you are 1% of the market, it's a losing race for the patchers.

How do you figure? Got any numbers to show me, or is this just blind speculation?

Here's a hint: If you've got an open source system, someone who finds an exploit is much more likely to send in a patch than to release said exploit into the wild. I know that's the case with me -- given the choice between patching Linux and exploiting Linux, I'll patch it. Given the choice between waiting six months for MS to patch something and exploiting it myself, I'll exploit it. And if you've got everyone's system updating every day, then it truly does become a losing race for someone to find the patch, develop an exploit, and begin using it before my system automatically patches itself.

Then there are all of the poor orphaned systems out there that don't have any one to maintain them. Who will patch these poor unfortunates?

Who relies on these poor unfortunates? Not anyone who cares about security. I mean, yeah, if you're running Win98, you're better off leaving the thing unplugged, but...

The only time a computer is secure these days is when the network cable is unplugged and/or the on/off switch is off.

I hate hearing this. Not only is it simply wrong (I can still pick the computer up and carry it off), but it's often used as some sort of excuse for computer security being as bad as it is.

I think Linux and the BSDs are pretty secure. I'm still annoyed at how frequently exploits are found.

But notice how you took two examples: A zero-day exploit, and old, unmaintained systems. Everything else you mentioned is basically saying the sky is falling because no one is secure, and therefore we can't say anyone is more secure than anyone else? How twisted is that?

Obviously, if I post my root password and IP address here, I AM less secure than everyone else. So, obviously, there are degrees of security.

And maybe everyone does become vulnerable at some point. It doesn't mean we're all doomed -- security is entirely based on economics. You're not 0wned unless it's worth it for you to be, and it's just not worth it if I'm running a custom-compiled Linux kernel and Gentoo system, all kinds of stuff tweaked by hand, and no particular reason they'd want me except CPU cycles and bandwidth. As long as there's dozens of Windows boxes they can 0wn automatically, they aren't going to get me.

Still, if you're so convinced the exploiters will always beat the patchers, go ahead and try. Crack my box, and leave me an email from myself explaining the situation. Until then, I'll reamin convinced you know nothing about security except that old "Nobody's secure" bullshit.

congradulations... (1)

Jose (15075) | more than 7 years ago | (#18208056)

...on writing the worlds most unsuccessful worm.

isn't even coming close to their trend on activity-by-ports page

Switch to Vista (0)

Anonymous Coward | more than 7 years ago | (#18208118)

Easy solution...Switch to a Vista/2003 Server platform. Duck!

So they finally secured sendmail and fingerd? (1)

iamacat (583406) | more than 7 years ago | (#18208166)

And is it going to take another 20 years to close all the holes in telnet?

Exploiting telnet (1)

Lewrker (749844) | more than 7 years ago | (#18208338)

is like asking a retard to tie his shoelaces and then pushing him when he bends over.

It's good to get the word out about this (1)

Tarlus (1000874) | more than 7 years ago | (#18208360)

At the university where I work, there were a number of people running Solaris boxes who weren't even aware that telnet was running. It's not that they weren't aware of the secure advantage of using SSH. But they just weren't paying close attention to what ports they had open.

So if you or someone you know runs Solaris, but uses SSH, make sure that telnet is 100% disabled for sure!

Patch Worm (0)

Anonymous Coward | more than 7 years ago | (#18208540)

Someone should modify this worm to login as root, patch telnetd to fix the vulnerability, spread itself for a while, and then die. I've always wanted to see this done, and this seems like a good opportunity (limited number of configurations/binaries, limited number of machines, etc.). To respond to some anticipated points:

1) No, it's almost certainly not legal.
2) Yes, the ethics of it are debatable.
3) I don't know if there's actually a patch available yet.
4) Yes, this still results in a compromised machine that any diligent sysadmin (running telnet?!) will have to spend a lot of time/effort cleaning.

It's more of an interesting idea that I'd just enjoy seeing. Anyone know of any cases of this happening? "Oh no! You've got the anti-virus virus."

-TUAC

Time Warp? (1)

corpsmoderne (1007311) | more than 7 years ago | (#18208614)

Am I the only one having checked the date after reading this title? For a second, I believed I was back in the 90's...

Why use telnet, anyway? (1)

Sherloqq (577391) | more than 7 years ago | (#18208748)

The last time I used telnet was probably somewhere in the late 90's. Since then I've been using ssh, like most people. Besides being secure, ssh puts a lot of power and flexibility at my fingertips: port-forwarding for tunnelling, passwordless connectivity, secure file transfers just to name a few. So it could be that it's been so long that I don't see the point of using telnet anymore, let alone willingly leave it enabled on my systems.

So besides the old argument of "I have legacy systems / applications which rely on telnet and other outdated modes of communication", why would people use telnet? Laziness? Ignorance? What else am I missing here?

Re:Why use telnet, anyway? (2, Informative)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18208938)

So besides the old argument of "I have legacy systems / applications which rely on telnet and other outdated modes of communication", why would people use telnet? Laziness? Ignorance? What else am I missing here?

People who use telnet on a large scale that I know of include:

  • European financial companies who are not allowed to use encryption while trading stock for regulatory reasons (on a private network).
  • South and Central American ISPs who provide shell accounts as part of internet access and who have to support the lowest common denominator.
  • Major network operators in Asia and China who run telnet on their control networks.
  • New hardware appliances that are configured once from telnet or console and for whom SSH provides only added complexity since they would be transferring the keys at the same time as their only connection.

Telnet is not dead and in some cases is appropriate. Those cases are just fairly limited and are less likely to be a problem than someone who just stick a box on the net with telnet enabled because they are lazy/ignorant (which also happens).

Re:Why use telnet, anyway? (0)

Anonymous Coward | more than 7 years ago | (#18209118)

There's a difference between the telnetd and telnet programs. telnetd is a server that listens for connections using the telnet protocol. telnet is the client program you can connect to telnetd with. As others have pointed out, that feature is pretty much useless because passwords are sent in clear text. However, telnet the client program is an *extremely* useful network troubleshooting tool. You can use it to determine if servers are listening on their proper ports or detect if your firewall is blocking a port you need. You can run 'telnet ipaddress 25' to talk to an SMTP server, 'telnet ipaddress 1521' to test if your Oracle listener is running, 'telnet ipaddress 80' to talk to your web server, etc.

Umod up (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18209302)

racist? How is my bedpo5t up my WASTE OF BITS AND fun to be again. time I'm done hEre, cans can become the channel to sign

Zonk strikes again (0)

Anonymous Coward | more than 7 years ago | (#18209422)

Fuck me gently. First the Vista ativation bullshit, now this lame crap. Still, judging by the number of posts, it's time I tried Myspace...

And is this somehow different that other versions? (1)

amper (33785) | more than 7 years ago | (#18209500)

'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday.

Pardon my ignorance, but doesn't Solaris use TCP port 23 like every other version of telnet in the universe, unless it's specifically redirected to a different port?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...