Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Microsoft Windows and *nix Telnet Port NumberArgument Obfuscation

From: Stephen Blass <Stephen.Blass () asu edu>
Date: Wed, 08 Jun 2005 11:39:32 -0700
It is a buffer overflow of sorts when a fixed length integer (or real or
double) like the telnet port argument exceeds the expected range and
mods out to become equal to the remainder that is left when the highest
order bits that don't fit get thrown away.  In the telnet port case it
may not be a real 'vulnerability' but it is a reasonably good example of
unchecked arguments allowing for unexpected behavior.   In the telnet
port case the overly large port number has already been crammed into the
available bits by the time the code could check it anyway.  So how would
one teach telnet to throw away bogus port arguments that are too big
then?  What about with dotted quads whose parts exceed 255?  You might
use string arguments but then you have to watch for string overflows
which have plagued us for years and occasionally still do.

That you can connect to a mail host on port 25 by typing  telnet
mailhost 65561 is either interesting or unsettling depending on your
point of view.  In either case it is probably worth understanding if
you're the security guru on site or you write network code.

-
Steve








-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Richard
John L Contractor 611 ACF/SCO
Sent: Wednesday, June 08, 2005 9:20 AM
To: 'Full Disclosure'
Subject: RE: [Full-disclosure] Microsoft Windows and *nix Telnet Port
NumberArgument Obfuscation

I agree with the individual below...some of us are still new to this
vulnerability thing (I for one) and appreciate lurking hear and taking
it all in...as a matter of fact, I'd love to have the original poster,
re-post...I was talking to a few others who had no idea about this and
they'd love to see the article (which I'd deleted - for some reason???)

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk]On Behalf Of Arjan van
der Velde
Sent: Wednesday, June 08, 2005 00:05
To: 'Andrew Haninger'; nick () virus-l demon co uk
Cc: 'Full Disclosure'
Subject: RE: [Full-disclosure] Microsoft Windows and *nix Telnet Port
NumberArgument Obfuscation


Hi,

I like reading posts in here to learn from. It would be good not to be
too hostile against people asking questions you already know the answer
for or even have known it for ages already. If I were to ask a question
I would like to be educated or at least pointed in the right direction.
Some replies really discourage people from asking.

- Arjan 


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Andrew
Haninger
Sent: Wednesday, June 08, 2005 9:08
To: nick () virus-l demon co uk
Cc: Full Disclosure
Subject: Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port
NumberArgument Obfuscation

On 6/7/05, Nick FitzGerald <nick () virus-l demon co uk> wrote:

This has been known since Adam was a cowboy.

Well, this /is/ full-disclosure, no? Best to tell than to withhold.

And while I would hope that there aren't a rash of old-school
vulnerabilities blowing through the list, I, for one, was unaware that
you could specify telnet ports like that. I wouldn't be surprised if I'm
not alone. Now I'll know what's up if I ever see stuff like this.

Though it does worry me a bit that this came from a @cisco.com address.
Shouldn't they be kind of *YAWN* about all things networking?

--
Andy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: