[21830] in bugtraq
Re: multiple vendor telnet daemon vulnerability
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Tue Jul 24 17:56:20 2001
Date: Tue, 24 Jul 2001 14:51:24 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: bugtraq@securityfocus.com
Message-ID: <20010724145124.A35804@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN"
Content-Disposition: inline
In-Reply-To: <20010724165549.A2217@syd0128.fujitsu.com.au>; from kluge@fujitsu.com.au on Tue, Jul 24, 2001 at 04:55:49PM +1000
--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jul 24, 2001 at 04:55:49PM +1000, Steffen Kluge wrote:
> > OpenBSD current | no |
^^^^
I'm not so sure about this one. OpenBSD-current (post 2.9) contains
the heimdal telnetd code, which incompletely fixes the handling of the
output buffers (under certain conditions it looks like the buffers can
still be overflowed). The initial (unofficial) patch posted to the
FreeBSD-security list last week was also a port of the heimdal telnetd
code with the same (flawed) semantics for output_data() and
netflush(), and I had a report yesterday of someone being compromised
with that preliminary patch in place. The official patch published
with our advisory is believed to fix things properly.
OpenBSD 2.9's telnetd is also full of code like this:
if (TELOPT_OK(option))
sprintf(nfrontp, "%s %s\r\n", fmt, TELOPT(option));
else if (TELCMD_OK(option))
sprintf(nfrontp, "%s %s\r\n", fmt, TELCMD(option));
else
sprintf(nfrontp, "%s %d\r\n", fmt, option);
nfrontp +=3D strlen(nfrontp);
return;
which is the signature of the problem reported by TESO. I wouldn't be
at all surprised if there were further problems there. For the sake
of the OpenBSD users this needs to be investigated further.
> > Solaris 2.x sparc | yes | ?
> > <almost any other vendor's telnetd> | yes | ?
> > ----------------------------------------+--------------+-----------=
-------
>=20
> Is there a test available that would allow verification of
> vulnerability on various platforms? I'm thinking of network
> devices like routers, do their telnet servers tend to be based
> on the vulnerable code base?
Chances are, yes. The vulnerability goes back at least to 4.2BSD.
Kris
--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7Xe3bWry0BWjoQKURAos1AKDVl2rf2pQKeGl/WWBEac9WwW2F8wCgv+MI
fk3NMg/2D7rLjHlF0ffi5fQ=
=NDX2
-----END PGP SIGNATURE-----
--J/dobhs11T7y2rNN--
