[21833] in bugtraq
Re: multiple vendor telnet daemon vulnerability
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Tue Jul 24 19:40:47 2001
Date: Tue, 24 Jul 2001 16:11:36 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Kris Kennaway <kris@obsecurity.org>
Cc: bugtraq@securityfocus.com
Message-ID: <20010724161135.A37310@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb"
Content-Disposition: inline
In-Reply-To: <20010724145124.A35804@xor.obsecurity.org>; from kris@obsecurity.org on Tue, Jul 24, 2001 at 02:51:24PM -0700
--/9DWx/yDrRhgMJTb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jul 24, 2001 at 02:51:24PM -0700, Kris Kennaway wrote:
> > > Solaris 2.x sparc | yes | ?
> > > <almost any other vendor's telnetd> | yes | ?
> > > ----------------------------------------+--------------+---------=
---------
> >=20
> > Is there a test available that would allow verification of
> > vulnerability on various platforms? I'm thinking of network
> > devices like routers, do their telnet servers tend to be based
> > on the vulnerable code base?
>=20
> Chances are, yes. The vulnerability goes back at least to 4.2BSD.
I was just talking to David Borman from BSDi about this. Apparently
the vulnerability discovered by TESO was introduced around the 4.3BSD
timeframe, since it requires passing exploit code in via environment
variables (the relevant telnet option to do this wasn't around before
then). The 4.2BSD code plays the same dangerous games with sprintf()
and manually incrementing the nfrontp pointer, but in the absence of a
way to inject your shellcode all you can probably do it crash the
telnetd.
Kris
--/9DWx/yDrRhgMJTb
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7XgCnWry0BWjoQKURAn2nAKChnjQxKQaO9SvKUf0w2G1jKd5XDQCdGx5W
lIykpTSVo/fjq2AbslkCD8A=
=QWfu
-----END PGP SIGNATURE-----
--/9DWx/yDrRhgMJTb--
