Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

New script for detecting FreeBSD remote root vulnerability

From: Fyodor <fyodor () insecure org>
Date: Tue, 27 Dec 2011 17:43:57 -0800
Hi folks!  You may have seen this "Merry Christmas from the FreeBSD
Security Team" note:

http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001401.html

Unfortunately, their gift of 5 security advisories is not what your
typical network/systems administrator wanted on Christmas eve.  But
the FreeBSD folks had no choice on the timing since one of the vulns
is a remotely exploitable bug in their telnetd which was already being
exploited in the wild:

http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001398.html

Here is a root exploit:

http://www.exploit-db.com/exploits/18280/

David and Patrik and I were chatting about NSE today and we decided to
write a script to help sysadmins quickly detect this vulnerability on
their networks before attackers do.  Then they can get back to holiday
celebrations ASAP :).  Technically, what our new script detects are
telnet servers which support the encryption option.  In my tests
against thousands of telnet servers on the Internet, that seems to be
fewer than 1% of them.  So it doesn't guarantee that a server is
vulnerable, but it dramatically limits the number you need to look at.

In the interests of expediency, I've already committed this into the
/nmap trunk.  But there is definitely room for improvement if anyone
wants to give it a shot!  In particular, it would probably be pretty
easy to send a payload which overruns the buffers with a bunch
0x4e6d6170 words to see if the telnetd crashes.  Telnetd is normally
spawned by inetd, in which case it should remain available for use or
exploitation even after the crash.  It would also be nice for this
script (particularly with this change) to use the vuln library.

For a vulnerable text box, you can find a FreeBSD 8.2 x86 VMWare
machine on this page:

http://www.thoughtpolice.co.uk/vmware/

You can already use the new script from Nmap SVN, or you can download
it individually for your current version of Nmap from its nsedoc page:

http://nmap.org/nsedoc/scripts/telnet-encryption.html

You can run it against a network with a command like:

nmap -p23 -PS23 --script telnet-encryption -oA telnetscan -v [networks]

Happy holidays!
-Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: