If you didn’t see it yet, there’s a remote root exploit for the telnet environment on many versions of Solaris. If you’re running telnet anywhere you need to turn it off. Many versions of Solaris have this on by default, so it’s worth checking that it’s really off, even if you’re not using the service.

Chris Byrd has submitted an accurate signature for the exploit.
# Submitted 2007-02-12 by Chris Byrd
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:”BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln”; flow:to_server,established; content: “|ff fa 27 00 00 55 53 45 52 01 2d 66|”; rawbytes; classtype:attempted-user; reference:url,riosec.com/solaris-telnet-0-day; sid:2003411; rev:1;)

Thanks Chris!

Matt

This entry was posted on Monday, February 12th, 2007 at 3:27 pm and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.