SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Telnet Vendors:   [Multiple Authors/Vendors]
(MacOS Also Vulnerable) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
SecurityTracker Alert ID:  1002107
SecurityTracker URL:  http://securitytracker.com/id/1002107
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 29 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network


Description:   TESO reported that many BSD-derived Telnet daemons (servers) contain a vulnerability that may allow a remote user to obtain root level access on the server.

A user reports that the telnet server on Mac OS X is also vulnerable. For details about the vulnerability, see the Message History.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the telnet server, which is typically root level privileges.
Solution:   No solution was available at the time of this entry.
Cause:   Boundary error
Underlying OS:  Apple (Legacy "classic" Mac)
Underlying OS Comments:  many Linux and Unix OSs are vulnerable, but not all - see the Alert text for more information

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2001 Telnet Daemons May Give Remote Users Root Level Access Privileges



 Source Message Contents

Subject:  Mac OS X & Darwin/BSD vulnerable to telnetd overflow


[titanium:~/desktop] chrome% ./SPtelnetAYT localhost
Telnetd AYT overflow scanner, by Security Point(R)
Host: localhost
Connected to remote host...
Sending telnet options... stand by...
Telnetd on localhost vulnerable
[titanium:~/desktop] chrome% telnet localhost
Trying 127.0.0.1...
Connected to localhost.stupendous.net.
Escape character is '^]'.

Darwin/BSD (titanium) (ttyp5)

login: ^]
telnet> close
Connection closed.

Note that by default telnet is disabled in /etc/inetd.conf (as are 
most things, except for portmapper/NFS, ugh) so the impact should be 
minimal. If you're not using the OpenSSH included with OS X, you're 
mad.

This was tested successfully on Mac OS X 10.0.4 from both the local 
machine, and from a remote Sparc Solaris 2.7 host.

I'd notify Apply, only I have no idea what address to use, and it's 
6am and I've not slept yet (catching up to bugtraq from a 2 week 
holiday, wow, that Code Red thing was bad, glad I wasn't around when 
THAT baby hit, ho ho ho)

Nathan.

-- 
"The computer can't tell you the emotional story.
  It can give you the exact mathematical design, but
  what's missing is the eyebrows." - Frank Zappa

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC