oss-sec mailing list archives

Re: Multiple telnet.c overflows

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Tue, 11 Dec 2018 13:10:51 -0800

On 12/11/18 10:39 AM, Hacker Fantastic wrote:

When a telnet server requests environment options the sprintf on line 1002 will
not perform bounds checking and causes an overflow of stack buffer
temp[50] defined
at line 990. This issue can be trivially fixed using a patch to add
bounds checking
to sprintf such as with a call to snprintf();


GNU inetutils telnet is a fork of the original BSD telnet code, but most of
the BSD's seem to have already switched to snprintf a while ago:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/telnet/telnet.c.diff?r1=1.3&r2=1.4&f=h
https://github.com/freebsd/freebsd/commit/d2f83e4ec488ec62281318b26dad107e65d96d0c#diff-3503402e6a2ad1eb960a4f475f19fb9f

with NetBSD as the outlier:
http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/telnet/telnet.c?rev=1.36&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

illumos also uses snprintf, in the code it inherited from OpenSolaris:
https://github.com/illumos/illumos-gate/blob/master/usr/src/cmd/cmd-inet/usr.bin/telnet/telnet.c#L955

        -alan-

Current thread:

Multiple telnet.c overflows Hacker Fantastic (Dec 11)
- Re: Multiple telnet.c overflows Alan Coopersmith (Dec 11)
  - Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
    - Re: Multiple telnet.c overflows Hacker Fantastic (Dec 12)
    - Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
    - Re: Multiple telnet.c overflows Bob Friesenhahn (Dec 12)
    - Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
    - Re: Multiple telnet.c overflows Hacker Fantastic (Dec 12)
    - Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
    - Re: Multiple telnet.c overflows Hacker Fantastic (Dec 13)
    - Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
    - Re: Multiple telnet.c overflows Hacker Fantastic (Dec 13)

(Thread continues...)