Bugtraq mailing list archives
Re: multiple vendor telnet daemon vulnerability
From: Kris Kennaway <kris () obsecurity org>
Date: Tue, 24 Jul 2001 14:51:24 -0700
On Tue, Jul 24, 2001 at 04:55:49PM +1000, Steffen Kluge wrote:
OpenBSD current | no |
^^^^ I'm not so sure about this one. OpenBSD-current (post 2.9) contains the heimdal telnetd code, which incompletely fixes the handling of the output buffers (under certain conditions it looks like the buffers can still be overflowed). The initial (unofficial) patch posted to the FreeBSD-security list last week was also a port of the heimdal telnetd code with the same (flawed) semantics for output_data() and netflush(), and I had a report yesterday of someone being compromised with that preliminary patch in place. The official patch published with our advisory is believed to fix things properly. OpenBSD 2.9's telnetd is also full of code like this: if (TELOPT_OK(option)) sprintf(nfrontp, "%s %s\r\n", fmt, TELOPT(option)); else if (TELCMD_OK(option)) sprintf(nfrontp, "%s %s\r\n", fmt, TELCMD(option)); else sprintf(nfrontp, "%s %d\r\n", fmt, option); nfrontp += strlen(nfrontp); return; which is the signature of the problem reported by TESO. I wouldn't be at all surprised if there were further problems there. For the sake of the OpenBSD users this needs to be investigated further.
Solaris 2.x sparc | yes | ? <almost any other vendor's telnetd> | yes | ? ----------------------------------------+--------------+------------------Is there a test available that would allow verification of vulnerability on various platforms? I'm thinking of network devices like routers, do their telnet servers tend to be based on the vulnerable code base?
Chances are, yes. The vulnerability goes back at least to 4.2BSD. Kris
Attachment:
_bin
Description:
Current thread:
- multiple vendor telnet daemon vulnerability Sebastian (Jul 18)
- Re: multiple vendor telnet daemon vulnerability Steffen Kluge (Jul 24)
- Re: multiple vendor telnet daemon vulnerability Kris Kennaway (Jul 24)
- Re: multiple vendor telnet daemon vulnerability Kris Kennaway (Jul 24)
- Re: multiple vendor telnet daemon vulnerability Chad Loder (Jul 25)
- Re: multiple vendor telnet daemon vulnerability Kris Kennaway (Jul 24)
- Re: multiple vendor telnet daemon vulnerability Steffen Kluge (Jul 24)
- <Possible follow-ups>
- RE: multiple vendor telnet daemon vulnerability Paul Rogers (Jul 25)