CERT-SEI

SunOS in.telnetd Vulnerability

Original issue date: March 27, 1991
Last revised: September 18, 1997
Attached copyright statement

A complete revision history is at the end of this file.

*** THIS IS A REVISED CERT ADVISORY ***

*** CONTAINS NEW INFORMATION AND A CORRECTION ***


I. Description

The Computer Emergency Response Team/Coordination Center (CERT/CC) has obtained information from Sun Microsystems, Inc. regarding a vulnerability affecting SunOS 4.1 and 4.1.1 versions of in.telnetd on all Sun 3 and Sun 4 architectures.  This vulnerability also affects SunOS 4.0.3 versions of both in.telnetd and in.rlogind on all Sun3 and Sun 4 architectures.  To our knowledge, a vulnerability does not exist in the SunOS 4.1 and 4.1.1 versions of in.rlogind.  The vulnerability has been fixed by Sun Microsystems, Inc.

This advisory has been revised to include information on the new patches available for SunOS 4.0.3.  The CERT would also like to mention that the name of the compressed tarfile included in the previous CERT Advisory, CA-91:02, was incorrect. It was listed as 1001125-02.tar.Z and it should have been 100125-02.tar.Z.  We regret any inconvenience this may have caused.

Please be aware that the new compressed tarfile provided by Sun Microsystems, Inc. includes all of the patched files for SunOS 4.0.3, SunOS 4.1, and SunOS 4.1.1.  That is, the tarfile contains the new patches for SunOS 4.0.3 as well as those files previously distributed in the 100125-02.tar.Z tarfile.  The installation of the patch differs between SunOS 4.0.3 and SunOS 4.1.x.

II. Impact

The vulnerability allows a user on the system to gain unauthorized access to other accounts, including root.

III.  Solution for SunOS 4.0.3 and 4.0.3c

Sun Microsystems, Inc. has patched versions of in.telnetd and in.rlogind available for SunOS 4.0.3 on all Sun 3 and Sun 4 architectures.  The Sun Patch ID is 100125-03 which is needed when ordering the patch from a Sun Answer Center. In the US, telephone (800) USA-4SUN.  The checksum of the compressed tarfile (filename 100125-03.tar.Z) is 17128 102.  The compressed tarfile is available by anonymous FTP on uunet.uu.net (192.48.96.2) in sun-dist/100125-03.tar.Z.  Please note: This compressed tarfile also includes patched versions of in.telnetd for SunOS 4.1 and 4.1.1. Please disregard these files.

SunOS 4.0.3 patch installation instructions are as follows:

  # mv /usr/etc/in.telnetd /usr/etc/in.telnetd.FCS
  # mv /usr/etc/in.rlogind /usr/etc/in.rlogind.FCS
  # chmod 600 /usr/etc/in.telnetd.FCS 
  # chmod 600 /usr/etc/in.rlogind.FCS 

(These four steps store the old versions as a precaution and change the file modes so that the old versions cannot be executed. After verifying the new versions, the old versions should be removed.)

  # cp sun{3,3x,4,4c}/{4.0.3,4.0.3c}/in.telnetd /usr/etc/in.telnetd
  # cp sun{3,3x,4,4c}/{4.0.3,4.0.3c}/in.rlogind /usr/etc/in.rlogind

(Be sure to copy the appropriate versions for your architecture.)

  # chmod 711 /usr/etc/in.telnetd 
  # chmod 711 /usr/etc/in.rlogind
  # chown root /usr/etc/in.telnetd
  # chown root /usr/etc/in.rlogind
  # chgrp staff /usr/etc/in.telnetd
  # chgrp staff /usr/etc/in.rlogind
  # kill {any executing in.telnetd and in.rlogind process(es) (SEE NOTE)}

NOTE: Be careful in killing existing in.telnetd and in.rlogind processes, as they may be legitimate users attempting to login to the system.

IV.  Solution for SunOS 4.1 and 4.1.1

Sun Microsystems, Inc. has patched versions of in.telnetd available for SunOS 4.1 and 4.1.1 on all Sun 3 and Sun 4 architectures.  The Sun Patch ID is 100125-03 which is needed when ordering the patch from a Sun Answer Center. In the US, telephone (800) USA-4SUN.  The checksum of the compressed tarfile (filename 100125-03.tar.Z) is 17128 102. The compressed tarfile is available by anonymous FTP on uunet.uu.net (192.48.96.2) in sun-dist/100125-03.tar.Z.  Please note: This tarfile includes patched versions of in.telnetd and in.rlogind for SunOS 4.0.3.  Please disregard these files.

Patch installation instructions are as follows:

  # mv /usr/etc/in.telnetd /usr/etc/in.telnetd.FCS
  # chmod 600 /usr/etc/in.telnetd.FCS

(These two steps store the old version as a precaution and change the file mode to that the old version cannot be executed; after verifying the new version, the old version should be removed.)

# cp sun{3,3x,4,4c}/4.1/in.telnetd /usr/etc/in.telnetd
(Be sure to copy the appropriate version for your architecture.)
  # chmod 711 /usr/etc/in.telnetd
  # chown root /usr/etc/in.telnetd
  # chgrp staff /usr/etc/in.telnetd
  # kill {any executing in.telnetd process(es) (SEE NOTE)}

NOTE: Be careful in killing existing in.telnetd processes, as they may be legitimate users attempting to login to the system.



This document is available from: http://www.preview.cert.org/advisories/CA-1991-02.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.  Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 1991 Carnegie Mellon University.


Revision History
September 18,1997  Attached Copyright Statement