SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Telnet Vendors:   [Multiple Authors/Vendors]
Telnet Daemons May Give Remote Users Root Level Access Privileges
SecurityTracker Alert ID:  1002040
SecurityTracker URL:  http://securitytracker.com/id/1002040
CVE Reference:   CVE-2001-0554   (Links to External Site)
Updated:  Sep 21 2004
Original Entry Date:  Jul 18 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network


Description:   TESO reported that many BSD-derived Telnet daemons (servers) contain a vulnerability that may allow a remote user to obtain root level access on the server.

The vulnerability is reportedly due to a buffer overflow in the telnet option handling.

The following systems are reported to be vulnerable:

BSDI 4.x default, FreeBSD [2345].x default, IRIX 6.5, Linux netkit-telnetd < 0.14, NetBSD 1.x default, OpenBSD 2.x, Solaris 2.x sparc, and "almost any other vendor's telnetd".

A remote user can send a specially formatted option string to the remote telnet server and overwrite sensitive memory, causing arbitrary code to be executed with the privileges of the telnet server (which is typically root level privileges).

Telnet options are reportedly processed by the 'telrcv' function. The results of the parsing, which are to be send back to the client, are stored in the 'netobuf' buffer. It is apparently assumed that the reply data is smaller than the buffer size, so no bounds checking is performed. By using a combination of options, especially the 'AYT' Are You There option, it is possible for a remote user to append data to the buffer. It is reported that the characters that can be written to the buffer are limited, which makes constructing a successful exploit difficult.

The report states that a working exploit has been developed for BSDI, NetBSD and FreeBSD. However, the exploit was not released.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the telnet server, which is typically root level privileges.
Solution:   No solution was available at the time of this entry.
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  many Linux and Unix OSs are vulnerable, but not all - see the Alert text for more information

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Caldera Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(FreeBSD Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(A Scanner is Released) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
A scanner for this vulnerability has been released.
(NetBSD Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(FreeBSD Issues Revised Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a revised fix.
(MacOS Also Vulnerable) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
Telnet server on Max OS X is reported to be vulnerable.
(Fixed Kerberos 5 Telnet Daemon is Released) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
A fixed version of the telnet daemon included with MIT Kerberose 5 (krb5) has been released.
(IBM Issues Fix for AIX) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
IBM has released a fix for AIX.
(Caldera Issues Fix for SCO) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix for SCO Unix.
(Caldera Issues Fix for SCO) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix for SCO OpenServer.
(Netkit = .17 is Vulnerable) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
This is a follow-up message.
(Caldera Issues Updated Linux Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix for Caldera Linux.
(Red Hat Issues Fixed Kerberos Package) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix for Kerberos 5, which contains the affected telnet program.
(Red Hat Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(FreeBSD Issues Fix for 'Ports' Collection) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix for the FreeBSD ports collection.
(SGI Issues Fix) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
SGI has issued a fix for IRIX.
(Conectiva Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(Caldera Issues Fix for OpenLinux) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix for OpenLinux.
(Slackware Issues Fix) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
Slackware has issued a fix.
(Debian Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(Mandrake Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(Debian Issues Fix for Telnet/SSL Package) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix for netkit-telnet-ssl.
(Debian Issues Fix for Telnet/SSL on Sparc) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix for Debian netkit-telnet-ssl on the Sparc platform.
(SuSE Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(HP Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(Sun Issues Fix) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
Sun has issued a fix.
(Mandrake Issues Fix for Kerberized Telnet) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix for the Kerberized telnet.
(Red Hat Issues Fix for RH 7.0 and 7.1) Telnet Daemons May Give Remote Users Root Level Access Privileges
The vendor has released a fix.
(Sun Issues Fix) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
Sun has issued patches.



 Source Message Contents

Subject:  telnetd vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ------

TESO Security Advisory
06/10/2001

Multiple vendor Telnet Daemon vulnerability


Summary
===================

    Within most of the current telnet daemons in use today there exist a
buffer
    overflow in the telnet option handling. Under certain circumstances
it may
    be possible to exploit it to gain root priviledges remotely.


Systems Affected
===================

    System                                  | vulnerable   | exploitable
*
   
----------------------------------------+--------------+------------------
    BSDI 4.x default                        |      yes     |       yes
    FreeBSD [2345].x default                |      yes     |       yes
    IRIX 6.5                                |      yes     |        no
    Linux netkit-telnetd < 0.14             |      yes     |        ?
    Linux netkit-telnetd >= 0.14            |       no     |
    NetBSD 1.x default                      |      yes     |       yes
    OpenBSD 2.x                             |      yes     |        ?
    OpenBSD current                         |       no     |
    Solaris 2.x sparc                       |      yes     |        ?
    <almost any other vendor's telnetd>     |      yes     |        ?
   
----------------------------------------+--------------+------------------

    * = From our analysis and conclusions, which may not be correct or
we may
        have overseen things. Do not rely on this.

    Details about the systems can be found below.


Impact
===================

    Through sending a specially formed option string to the remote
telnet
    daemon a remote attacker might be able to overwrite sensitive
information
    on the static memory pages. If done properly this may result in
arbitrary
    code getting executed on the remote machine under the priviledges
the
    telnet daemon runs on, usually root.


Explanation
===================

    Within every BSD derived telnet daemon under UNIX the telnet options
are
    processed by the 'telrcv' function. This function parses the options
    according to the telnet protocol and its internal state. During this
    parsing the results which should be send back to the client are
stored
    within the 'netobuf' buffer. This is done without any bounds
checking,
    since it is assumed that the reply data is smaller than the buffer
size
    (which is BUFSIZ bytes, usually).

    However, using a combination of options, especially the 'AYT' Are
You There
    option, it is possible to append data to the buffer, usually nine
bytes
    long. To trigger this response, two bytes in the input buffer are
    necessary. Since this input buffer is BUFSIZ bytes long, you can
exceed the
    output buffer by as much as (BUFSIZ / 2) * 9) - BUFSIZ bytes. For
the
    common case that BUFSIZ is defined to be 1024, this results in a
buffer
    overflow by up to 3584 bytes.  On systems where BUFSIZ is defined to
be
    4096, this is an even greater value (14336).

    Due to the limited set of characters an attacker is able to write
outside
    of the buffer it is difficult - if not impossible on some systems -
to
    exploit this buffer overflow. Another hurdle for a possible attacker
may be
    the lack of interesting information to modify after the buffer.

    This buffer overflow should be considered serious nevertheless,
since
    experience has shown that even complicated vulnerabilities can be
    exploited by skilled attackers, BIND TSIG and SSH deattack come to
mind.

    We have constructed a working exploit for any version of BSDI,
NetBSD and
    FreeBSD. Exploitation on Solaris sparc may be possible but if it is,
it is
    very difficult involving lots of arcane tricks. OpenBSD is not as
easily
    exploitable as the other BSD's, because they do compile with other
    options by default, changing memory layout.


Solution
===================

    The vendors have been notified of the problem at the same time as
the
    general public, vendor patches for your telnet daemon that fix the
bug will
    show up soon.

    Sometimes a fix might not be trivial and require a lot of changes to
the
    source code, due to the insecure nature the 'nfrontp' pointer is
handled.
    The best long term solution is to disable the telnet daemon at all,
since
    there are good and free replacements.


Acknowledgements
===================

    The bug has been discovered by scut.

    The tests and further analysis were done by smiler, lorian, zip and
scut.


Contact Information
===================

    The TESO crew can be reached by mailing to teso@team-teso.net
    Our web page is at http://www.team-teso.net/


References
===================

    [1] TESO
        http://www.team-teso.net/


Disclaimer
===================

    This advisory does not claim to be complete or to be usable for any
    purpose. Especially information on the vulnerable systems may be
inaccurate
    or wrong. Possibly supplied exploit code is not to be used for
malicious
    purposes, but for educational purposes only.

    This advisory is free for open distribution in unmodified form.
    Articles that are based on information from this advisory should
include
    link [1].


Exploit
===================

    Not this time. Not here.

- ------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7VfBscZZ+BjKdwjcRAsTcAJ9esSlkS7BGkYM1Yulaz3zINqxpmgCeM885
3thubMQc+6S4RpHasL0qz0Y=
=VT7y
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC