Nmap Development mailing list archives
New script for detecting FreeBSD remote root vulnerability
From: Fyodor <fyodor () insecure org>
Date: Tue, 27 Dec 2011 17:43:57 -0800
Hi folks! You may have seen this "Merry Christmas from the FreeBSD Security Team" note: http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001401.html Unfortunately, their gift of 5 security advisories is not what your typical network/systems administrator wanted on Christmas eve. But the FreeBSD folks had no choice on the timing since one of the vulns is a remotely exploitable bug in their telnetd which was already being exploited in the wild: http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001398.html Here is a root exploit: http://www.exploit-db.com/exploits/18280/ David and Patrik and I were chatting about NSE today and we decided to write a script to help sysadmins quickly detect this vulnerability on their networks before attackers do. Then they can get back to holiday celebrations ASAP :). Technically, what our new script detects are telnet servers which support the encryption option. In my tests against thousands of telnet servers on the Internet, that seems to be fewer than 1% of them. So it doesn't guarantee that a server is vulnerable, but it dramatically limits the number you need to look at. In the interests of expediency, I've already committed this into the /nmap trunk. But there is definitely room for improvement if anyone wants to give it a shot! In particular, it would probably be pretty easy to send a payload which overruns the buffers with a bunch 0x4e6d6170 words to see if the telnetd crashes. Telnetd is normally spawned by inetd, in which case it should remain available for use or exploitation even after the crash. It would also be nice for this script (particularly with this change) to use the vuln library. For a vulnerable text box, you can find a FreeBSD 8.2 x86 VMWare machine on this page: http://www.thoughtpolice.co.uk/vmware/ You can already use the new script from Nmap SVN, or you can download it individually for your current version of Nmap from its nsedoc page: http://nmap.org/nsedoc/scripts/telnet-encryption.html You can run it against a network with a command like: nmap -p23 -PS23 --script telnet-encryption -oA telnetscan -v [networks] Happy holidays! -Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- New script for detecting FreeBSD remote root vulnerability Fyodor (Dec 27)