Bugtraq mailing list archives
Re: Bug
From: jhutz+ () cmu edu (Jeffrey Hutzelman)
Date: Fri, 8 Jan 1999 02:47:26 -0500
On Thu, 31 Dec 1998, Mr Spooty wrote:This patch, along with the domestic version of the most recently released telnet sources from Berkeley, are available via anonymous ftp from net-dist.mit.edu in the directory /pub/telnet.As of Sun Jan 3 20:42:04 GMT 1999 the /pub/telnet directory is not world readable or searchable, and thus this patch cannot be downloaded. Does anyone have a copy of this patch, and perhaps more details on what it does?
I have no problem seeing into that directory, despite the unusual permissions. The original post was little more than a copy of a message sent by Ted Ts'o on 15-Feb-1995, nearly 4 years ago. The gist of the bug, IIRC, was that the method used in the telnet client to generate the session encryption key (the one used to actually encrypt the data stream, not the session key in the Kerberos tickets) would result in a key with bad parity 255/256 of the time. This, in turn, could result in one of three situations, depending on how carefully error checking was done at each end: (a) Encryption negotiation fails, and the stream is unencrypted (b) Encryption negotiation succeeds, and the stream is encrypted, but using a highly predictable DES key schedule instead of one derived from a randomly-chosen session key. This was the most dangerous case, and I believe also the most common. (c) Encryption negotiation succeeds, and the stream is encrypted, but one end uses the bogus key schedule as in (b), while the other uses a different schedule (IIRC, derived from the randomly-chosen key, after forcing the parity bits). The result is that neither end can communicate with the other. The patch also appears to fix a fatal bug in the challenge-response calculation, and to make changes to parsing of authentication types, which I'd have to go read the full telnet source to understand. I've CC'd Ted Ts'o on this message, in case he wants to make additional comments about the nature of the original problem, or the other changes made by that patch. -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ () cmu edu> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
Current thread:
- Re: Breeze Network Server remote reboot and other bogosity. Mike Pelley (Dec 31)
- Bug Mr Spooty (Dec 31)
- Re: Bug Curt Sampson (Jan 03)
- Re: Bug Jeffrey Hutzelman (Jan 07)
- Anonymous Qmail Denial of Service Wietse Venema (Jan 03)
- Dosemu/S-Lang Overflow + sploit Trev (Jan 03)
- Re: Dosemu/S-Lang Overflow + sploit Erik Mouw (Jan 12)
- Re: Anonymous Qmail Denial of Service Trev (Jan 04)
- Vulnerability database workshop Gene Spafford (Jan 04)
- Re: Anonymous Qmail Denial of Service Nick Andrew (Jan 04)
- Improved icmp time/mask querying program David G. Andersen (Jan 04)
- Re: Bug Curt Sampson (Jan 03)
- Re: Anonymous Qmail Denial of Service Illuminatus Primus (Jan 04)
- Re: Anonymous Qmail Denial of Service Nick Maclaren (Jan 04)
- Sendmail 8.9.2 released Patrick Oonk (Jan 04)
- Bug Mr Spooty (Dec 31)