cbcvebase.
CVE-2007-0882
published 2007-02-12

CVE-2007-0882: Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
97.85%
99.9th percentile
Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.

Affected

15 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiankrb5< krb5 1.4.4-8 (bookworm)krb5 1.4.4-8 (bookworm)
mitkerberos_5< 1.6.11.6.1
mitkrb5>= 0 < 1.4.4-81.4.4-8
mitkrb5>= 0 < 1.4.4-81.4.4-8
mitkrb5>= 0 < 1.4.4-81.4.4-8
mitkrb5>= 0 < 1.4.4-81.4.4-8
oraclesolaris
oraclesolaris
sunsunos
sunsunos

Detection & IOCsextracted from sources · hover to see the quote

commandtelnet -l"-f$2" $1
bytes
FF FD 26 FF FB 26 FF FD 03 FF FB 18 FF FB 1F FF FB 20 FF FB 21 FF FB 22 FF FB 27 FF FD 05
bytes
FF FA 18 00 58 54 45 52 4D FF F0 FF FA 27 00 00 55 53 45 52 01 2D 66 <USER> FF F0
  • Detect telnet login attempts where the username/environment variable begins with '-f' (e.g., '-fbin'), indicating an attempt to pass the -f flag to the login program to skip authentication.
  • Monitor telnet (port 23) traffic for the Telnet NEW-ENVIRON subnegotiation (0xFF 0xFA 0x27) containing a USER variable value starting with the bytes 0x2D 0x66 ('-f'), which is the exploit's injection vector.
  • Alert on telnet sessions to Solaris hosts (SunOS 5.10/5.11) on port 23 where the XTERM environment variable is set (0xFF 0xFA 0x18 0x00 'XTERM') in combination with a USER NEW-ENVIRON value prefixed with '-f', as this is the specific exploit sequence.
  • Flag successful unauthenticated logins to privileged or system accounts (e.g., 'bin') via telnet on Solaris 10/11 systems, as these are the default targets of this exploit.
  • ·The exploit targets in.telnetd on Solaris 10 and 11 (SunOS 5.10 and 5.11) only; other platforms running telnetd are not affected by this specific CVE (though CVE-2007-0956 is a similar issue in MIT krb5 telnetd).
  • ·The Metasploit module requires the telnet service to be running and reachable on port 23; disabling in.telnetd or blocking port 23 at the network perimeter fully mitigates this vulnerability.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.