Full Disclosure mailing list archives
Microsoft Windows and *nix Telnet Port Number Argument Obfuscation
From: Kristian Hermansen <khermans () cisco com>
Date: Tue, 07 Jun 2005 18:09:41 -0400
I. BACKGROUND Telnet is a standard networking tool available on almost every computing platform that participates on a network. II. DESCRIPTION The second argument to the telnet executable, the port number, does not need to conform to the standard available port conventions (ie. 0-65535). It is actually possible to specify a port number very far out of the effective range, and still be able to connect to the "wrapped" port value. On Windows, it is even possible to specify negative port values. Following is a short demonstration: C:\>telnet localhost 65535999999999934485 220 localhost Microsoft FTP Service (Version 5.0). C:\>telnet localhost -6553403371 220 localhost Microsoft FTP Service (Version 5.0). You can create your own "wrapping" values by picking large numbers that have a remainder of your specified port when modded with 65536. For instance, in the example above: 65535999999999934485 % 65536 = 21 III. ANALYSIS This is not a vulnerability at all, but could prove quite useful when trying to obfuscate an admin's log of executed shell commands. For instance, an unknowing admin looking at the arguments to telnet in this example would be very confused. Other than this, there is no security risk and the result is just interesting. IV. DETECTION I have confirmed that this will work on Microsoft Windows 2000 Server SP4, Microsoft Windows Advanced Server SP0, Red Hat Linux Enterprise Server 3.0, SuSE Professional 9.0, and Sun Solaris 8. V. CREDIT Discovered by Kristian Hermansen. -- Kristian Hermansen <khermans () cisco com> Cisco Systems, Inc. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows and *nix Telnet Port Number Argument Obfuscation Kristian Hermansen (Jun 07)
- Re: Microsoft Windows and *nix Telnet Port Number Argument Obfuscation Nick FitzGerald (Jun 07)
- Re: Microsoft Windows and *nix Telnet Port Number Argument Obfuscation Andrew Haninger (Jun 08)
- RE: Microsoft Windows and *nix Telnet Port NumberArgument Obfuscation Arjan van der Velde (Jun 08)
- Re: Microsoft Windows and *nix Telnet Port NumberArgument Obfuscation Raghu Chinthoju (Jun 08)
- Re: Microsoft Windows and *nix Telnet Port Number Argument Obfuscation Andrew Haninger (Jun 08)
- Re: Microsoft Windows and *nix Telnet Port Number Argument Obfuscation Stan Bubrouski (Jun 09)
- Re: Microsoft Windows and *nix Telnet Port Number Argument Obfuscation Kristian Hermansen (Jun 09)
- Re: Microsoft Windows and *nix Telnet Port Number Argument Obfuscation Nick FitzGerald (Jun 09)
- Re: Microsoft Windows and *nix Telnet PortNumber Argument Obfuscation Etaoin Shrdlu (Jun 09)
- Re: Microsoft Windows and *nix Telnet PortNumber Argument Obfuscation Kristian Hermansen (Jun 09)
- Re: Microsoft Windows and *nix Telnet PortNumber Argument Obfuscation Chris Umphress (Jun 11)
- Re: Microsoft Windows and *nix Telnet Port Number Argument Obfuscation Nick FitzGerald (Jun 07)