Saturday, August 2, 2008

OpenSolaris remote root exploit

Like the the BSI was new in the LiveCD market segment, so is Sun!

If you boot your OpenSolaris CD and have your network plugged in and a DHCP
server is available (very common setup today; every homeuser got DSL ...), remote
attackers can log into your machine with jack/jack and su to root with
opensolaris. What a luck that remote root logins are disabled by the sshd running
during the installation procedure. It also has a nice banner which distinguishs it
clearly from the rest of the OpenSSH world.
Far more bad than the BOSS BSI issue:
If you want to install OpenSolaris (and a plenty of sysadmins will do) the only
way is to boot the LiveCD and install it from there. You are owned before your installation procedure is finished!

So, somehow, we got a remote root exploit for a lot of data centers I guess. And BTW,
if there is no DHCP server running at the university, attackers can feel free to setup one :-)

Beside that, I like the Open Source path which Sun is now walking on and Solaris
is still a very cute OS which kicks ass. But admins should really unplug
the network cable during installation. No kidding. If I got something wrong, feel
free to mail me and I will correct myself. I tested the 2008.05 image from their main download
site.

Update: Sun Microsystems is already tracking this issue and will change the behavior with
the next live CD release.

No comments: