Advertisement
Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.
Weekly Edition
Return to the Press page
| |||||||||||||
|
| |||||||||||||
The Old Bugs Are the Best Bugs (Technology Review)
Anybody who runs Solaris systems should have a look at this Technology Review article by Simson Garfinkel on the recently-disclosed telnet vulnerability. "What Maynor discovered is that an attacker can try to log in with a user name like '-fbin.' The '-fbin' is passed along to the log-in program, which misinterprets the "-f" as a command from the operating system to log the user in to the specified account without asking for a password." For added fun, consider that Solaris 10 enables telnet by default, and that the vulnerability is not particularly new.
(Log in to post comments)
The Old Bugs Are the Best Bugs (Technology Review) Posted Feb 13, 2007 21:31 UTC (Tue) by flewellyn (subscriber, #5047) [Link] Enables telnet by DEFAULT?
That's insane. I have never, ever, ever enabled telnet on ANY of my machines. As far as I can see, there is no reason to do so, unless you run a legacy machine for which SSH is not ported. If you aren't twenex.org, I don't see a valid reason to have telnetd installed, much less enabled.
The Old Bugs Are the Best Bugs (Technology Review) Posted Feb 13, 2007 21:54 UTC (Tue) by emkey (guest, #144) [Link] I'm a little surprised by this but not totally shocked. After all, this is the company that used to ship their systems with nothing but a + in /etc/hosts.allow long after it became obvious that the Internet was not the kind gentle place such a practice would require and before firewalls became common place.
The Old Bugs Are the Best Bugs (Technology Review) Posted Feb 13, 2007 22:23 UTC (Tue) by ajross (subscriber, #4563) [Link] Remember that Sun is selling boxes into production environments that are often years (more than a decade in some cases!) old. There really are sites (i.e. paying customers you don't want to anger) out there who are doing the equivalent of RPC or automated remote tasks using tools like telnet. It's sad, but true. And if you want to keep their business, you need to not break their systems with an upgrade.
The Old Bugs Are the Best Bugs (Technology Review) Posted Feb 13, 2007 22:39 UTC (Tue) by eklitzke (subscriber, #36426) [Link] While including a telnet daemon in the default install is a bit anachronistic, it isn't that big of a deal. What is a big deal is the fact that it would be turned on by default. Surely the sites that do need telnet enabled can take the ten seconds required to have it start automatically so that the other 99.9% of users out there won't have to worry about this kind of nonsense.
The Old Bugs Are the Best Bugs (Technology Review) Posted Feb 14, 2007 0:46 UTC (Wed) by emkey (guest, #144) [Link] Any large data center worth anything should have configuration management in place. IE, new systems hitting the floor should have some sort of process run on them that verifies that the appropriate files have the appropriate things, all services that should be on are present and on, etc. It is hard for me to see any value added to having telnet on by default given this.
The Old Bugs Are the Best Bugs (Technology Review) Posted Feb 14, 2007 0:54 UTC (Wed) by daney (subscriber, #24551) [Link] The article seemed to imply that telnetd was/is *disabled* be default. So it is in fact not a problem unless you explicitly enable it.
It is unfortunate that telnetd had a bug in Solaris, but most installs probably do not enable it so it was not as big a problem as some are making it out to be.
if you don't personally harden any system on the public net... Posted Feb 13, 2007 23:27 UTC (Tue) by qu1j0t3 (guest, #25786) [Link] ...you deserve what you get.For Solaris: apply the Solaris Security Toolkit.
The Old Bugs Are the Best Bugs (Technology Review) Posted Feb 14, 2007 0:31 UTC (Wed) by kjp (subscriber, #39639) [Link] FTFA:
"And if they are going to ship a server, they really should be validating it. Although I have no way of knowing what happened at Sun, my guess is that they didn't bother to test the server because it is **disabled by default**."
Whew. You had me for a minute.
The Old Bugs Are the Best Bugs (Technology Review) Posted Feb 14, 2007 5:21 UTC (Wed) by drag (subscriber, #31333) [Link] I beleive it's only disabled by default on the latest release of Solaris 11.
However I think that root login is disabled by default in all versions.
That's all FUD Posted Feb 13, 2007 21:39 UTC (Tue) by proski (subscriber, #104) [Link] And switching to GPLv3 won't stop it. :)
That's all FUD Posted Feb 13, 2007 21:54 UTC (Tue) by error27 (subscriber, #8346) [Link] Good point. They should add a clause to address this. Maybe only an extension is needed?
Funny typo Posted Feb 13, 2007 23:21 UTC (Tue) by ncm (subscriber, #165) [Link] Evidently some anonymous copy editor at Technology Review saw the quoted string '-fbin' at the end of a sentence and, following the official magazine stylebook, moved the period inside the quotes: '-fbin.', thereby changing the meaning of the sentence. It was a silly convention to begin with, but applied to modern technical writing ("Technology Review", hello?) it's actively stupid.
Funny typo Posted Feb 14, 2007 1:00 UTC (Wed) by cortana (subscriber, #24596) [Link] Some interesting comments about (correct!) punctuation as used by hackers are available in The Jargon File.
Funny typo Posted Feb 14, 2007 17:27 UTC (Wed) by charris (subscriber, #13263) [Link] I believe both punctuation conventions are accepted these days. I read somewhere that the original convention of moving periods and such inside the quotes came from the days of lead type when punctuation trailing the quote tended to break off during a print run. I am in no position to verify the truth of that, but it sounds plausible.
Funny typo Posted Feb 14, 2007 21:59 UTC (Wed) by man_ls (subscriber, #15091) [Link] I think it might have just been an instance of Kerning. The wikipedia helpfully illustrates it by putting the dot inVAST.under the right stroke of the T. Just what many computer fonts do not do, I do not see it in the preview box. Similarly, in '-fbin'.the dot would be moved below the quote, looking more like: '-fbin!if you know what I mean. In typewriters, '-fbin.'would look more similar to the original with kerning; or at least it would look better. I have to agree that it is a silly convention nowadays; not only does it break the logical sequence, but we should just let kerning to its thing if it can. Just like you, I'm in no position to verify the truth of this alternative.
Funny typo Posted Feb 17, 2007 1:36 UTC (Sat) by giraffedata (subscriber, #1954) [Link] My university technical writing professor said it is for aesthetics, so analogous to kerning. Non-engineers aren't all that sensitive to illogical things. Consider that the possessive of process is traditionally process'.Also, I believe the rule today is the same as it has always been: standard American typography puts the period inside; standard British typography puts it outside. In highly technical documents (like here), I'm sure editors allow more leeway so you can quote a sequence of characters as opposed to human language text even if the chosen style is otherwise standard American. But in most documents I see, literal characters are rendered in a special font instead of in quotation marks.
Not particularly new? Posted Feb 14, 2007 6:18 UTC (Wed) by ldo (subscriber, #40946) [Link] You say "the vulnerability is not particularly new". Yet the link you post specifically states: "Sun Microsystems, Inc. Solaris All Versions (Not Affected)". So as far as Solaris is concerned, it would seem to be a new bug.
Not particularly new? Posted Feb 14, 2007 13:42 UTC (Wed) by jzbiciak (✭ supporter ✭, #5246) [Link] This class of vulnerability, specifically passing flags to 'login', goes pretty far back. This is a new instance of an ancient bug. I remember way back in 1993-94 time frame that Linux had a similar bug in getty. You could walk up to any Linux box and type -froot as the user name and Tada! You're now root! I and a friend wrote a wrapper that was popular in that time frame. (Well, I wrote it, he popularized it as part of a security package.) That was a loooooong time ago.
|
|
||||||||||||