[21964] in bugtraq
Mac OS X & Darwin/BSD vulnerable to telnetd overflow
daemon@ATHENA.MIT.EDU (Nathan Ollerenshaw)
Sat Jul 28 23:14:42 2001
Mime-Version: 1.0
Message-Id: <p05101003b787f9694230@[195.149.51.21]>
In-Reply-To: <3B5E78EE.339FC4F1@snosoft.com>
Date: Sat, 28 Jul 2001 06:17:50 +0100
To: bugtraq@securityfocus.com
From: Nathan Ollerenshaw <chrome@stupendous.net>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
[titanium:~/desktop] chrome% ./SPtelnetAYT localhost
Telnetd AYT overflow scanner, by Security Point(R)
Host: localhost
Connected to remote host...
Sending telnet options... stand by...
Telnetd on localhost vulnerable
[titanium:~/desktop] chrome% telnet localhost
Trying 127.0.0.1...
Connected to localhost.stupendous.net.
Escape character is '^]'.
Darwin/BSD (titanium) (ttyp5)
login: ^]
telnet> close
Connection closed.
Note that by default telnet is disabled in /etc/inetd.conf (as are
most things, except for portmapper/NFS, ugh) so the impact should be
minimal. If you're not using the OpenSSH included with OS X, you're
mad.
This was tested successfully on Mac OS X 10.0.4 from both the local
machine, and from a remote Sparc Solaris 2.7 host.
I'd notify Apply, only I have no idea what address to use, and it's
6am and I've not slept yet (catching up to bugtraq from a 2 week
holiday, wow, that Code Red thing was bad, glad I wasn't around when
THAT baby hit, ho ho ho)
Nathan.
--
"The computer can't tell you the emotional story.
It can give you the exact mathematical design, but
what's missing is the eyebrows." - Frank Zappa
