SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Telnet Vendors:   [Multiple Authors/Vendors]
(Caldera Issues Fix for OpenLinux) Telnet Daemons May Give Remote Users Root Level Access Privileges
SecurityTracker Alert ID:  1002277
SecurityTracker URL:  http://securitytracker.com/id/1002277
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   TESO reported that many BSD-derived Telnet daemons (servers) contain a vulnerability that may allow a remote user to obtain root level access on the server.

The vulnerability is reportedly due to a buffer overflow in the telnet option handling.

The following systems are reported to be vulnerable:

BSDI 4.x default, FreeBSD [2345].x default, IRIX 6.5, Linux netkit-telnetd < 0.14, NetBSD 1.x default, OpenBSD 2.x, Solaris 2.x sparc, and "almost any other vendor's telnetd".

A remote user can send a specially formatted option string to the remote telnet server and overwrite sensitive memory, causing arbitrary code to be executed with the privileges of the telnet server (which is typically root level privileges).

Telnet options are reportedly processed by the 'telrcv' function. The results of the parsing, which are to be send back to the client, are stored in the 'netobuf' buffer. It is apparently assumed that the reply data is smaller than the buffer size, so no bounds checking is performed. By using a combination of options, especially the 'AYT' Are You There option, it is possible for a remote user to append data to the buffer. It is reported that the characters that can be written to the buffer are limited, which makes constructing a successful exploit difficult.

The report states that a working exploit has been developed for BSDI, NetBSD and FreeBSD. However, the exploit was not released.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the telnet server, which is typically root level privileges.
Solution:   The vendor has released a fix for OpenLinux. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
Cause:   Boundary error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  many Linux and Unix OSs are vulnerable, but not all - see the Alert text for more information

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2001 Telnet Daemons May Give Remote Users Root Level Access Privileges



 Source Message Contents

Subject:  Security Update: [CSSA-2001-30.0] Linux - Telnet AYT remote exploit


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		Linux - Telnet AYT remote exploit
Advisory number: 	CSSA-2001-030.0
Issue date: 		2001, August 10
Cross reference:
______________________________________________________________________________


1. Problem Description

   Recently, a security problem was discovered in various BSD derived
   implementations of the telnet daemon. Initially, it was thought that
   the Linux netkit-telnet was not vulnerable to this problem. It turne
   out that this was wrong.

   On OpenLinux previous to version 3.1, this bug allows remote attackers
   to gain root privilege.

   Starting with OpenLinux 3.1, the telnet daemon is split into
   two processes, a privileged one running the login session, and a
   restricted one handling the network protocol where the bug occurs. As
   a consequence, attempts to exploit this problem on OpenLinux 3.1 will
   give an attacker a process running as user "nobody", and confined to
   an empty chroot directory.


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                 All packages previous to      
                                 netkit-telnet-0.17-12a        
   
   OpenLinux eServer 2.3.1       All packages previous to      
   and OpenLinux eBuilder        netkit-telnet-0.17-12a        
   
   OpenLinux eDesktop 2.4        All packages previous to      
                                 netkit-telnet-0.17-12a        
   
   OpenLinux Server 3.1          All packages previous to      
                                 netkit-telnet-0.17-12         
   
   OpenLinux Workstation 3.1     All packages previous to      
                                 netkit-telnet-0.17-12         
   

3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

    4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS

   4.2 Verification

       70f6d9fd0083167b23c0f22043b5f72c  RPMS/netkit-telnet-0.17-12a.i386.rpm
       394490b87437bd04ca4aff661c4f5fff  SRPMS/netkit-telnet-0.17-12a.src.rpm
       

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh netkit-telnet-0.17-12a.i386.rpm
         

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

    5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       82e95fe89d065e3116253701004de600  RPMS/netkit-telnet-0.17-12a.i386.rpm
       394490b87437bd04ca4aff661c4f5fff  SRPMS/netkit-telnet-0.17-12a.src.rpm
       

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh netkit-telnet-0.17-12a.i386.rpm
         

6. OpenLinux eDesktop 2.4

    6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       e35ae266e108a9494f8dd89f96e4b889  RPMS/netkit-telnet-0.17-12a.i386.rpm
       394490b87437bd04ca4aff661c4f5fff  SRPMS/netkit-telnet-0.17-12a.src.rpm
       

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh netkit-telnet-0.17-12a.i386.rpm
         

7. OpenLinux 3.1 Server

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   7.2 Verification

       498c44cc801022653ee6c692a8633d74  RPMS/netkit-telnet-0.17-12.i386.rpm
       ddd8cf299465d84d1044a13b8e340a23  SRPMS/netkit-telnet-0.17-12.src.rpm
       

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh netkit-telnet-0.17-12.i386.rpm
        
       or start kcupdate, the Caldera OpenLinux Update Manager.

8. OpenLinux 3.1 Workstation

    8.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

   8.2 Verification

       498c44cc801022653ee6c692a8633d74  RPMS/netkit-telnet-0.17-12.i386.rpm
       ddd8cf299465d84d1044a13b8e340a23  SRPMS/netkit-telnet-0.17-12.src.rpm
       

   8.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh netkit-telnet-0.17-12.i386.rpm

       or start kcupdate, the Caldera OpenLinux Update Manager.
         

9. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10351.


10. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

11. Acknowledgements

   Caldera wishes to thank Zen-Parse (zen-parse@gmx.net) for advance
   notification of this bug and his cooperation.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7c/Ef18sy83A/qfwRApFKAKCOz6jweWH+XIS4eNdnF2Dq3FEZrgCfUzlF
3JQNa+IP77hu313lcRhDsXM=
=oLMd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC