Re: multiple vendor telnet daemon vulnerability

[Kris Kennaway <kris () obsecurity org>]

On Tue, Jul 24, 2001 at 02:51:24PM -0700, Kris Kennaway wrote:

> > >     Solaris 2.x sparc                       |      yes     |        ?
> > >     <almost any other vendor's telnetd>     |      yes     |        ?
> > >     ----------------------------------------+--------------+------------------
> >
> > Is there a test available that would allow verification of
> > vulnerability on various platforms? I'm thinking of network
> > devices like routers, do their telnet servers tend to be based
> > on the vulnerable code base?
>
> Chances are, yes.  The vulnerability goes back at least to 4.2BSD.

I was just talking to David Borman from BSDi about this.  Apparently
the vulnerability discovered by TESO was introduced around the 4.3BSD
timeframe, since it requires passing exploit code in via environment
variables (the relevant telnet option to do this wasn't around before
then).  The 4.2BSD code plays the same dangerous games with sprintf()
and manually incrementing the nfrontp pointer, but in the absence of a
way to inject your shellcode all you can probably do it crash the
telnetd.

Kris

Attachment: _bin
Description: