Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Telnet Vendors:   [Multiple Authors/Vendors]
(Debian Issues Fix) Telnet Daemons May Give Remote Users Root Level Access Privileges
SecurityTracker Alert ID:  1002286
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   TESO reported that many BSD-derived Telnet daemons (servers) contain a vulnerability that may allow a remote user to obtain root level access on the server.

The vulnerability is reportedly due to a buffer overflow in the telnet option handling.

The following systems are reported to be vulnerable:

BSDI 4.x default, FreeBSD [2345].x default, IRIX 6.5, Linux netkit-telnetd < 0.14, NetBSD 1.x default, OpenBSD 2.x, Solaris 2.x sparc, and "almost any other vendor's telnetd".

A remote user can send a specially formatted option string to the remote telnet server and overwrite sensitive memory, causing arbitrary code to be executed with the privileges of the telnet server (which is typically root level privileges).

Telnet options are reportedly processed by the 'telrcv' function. The results of the parsing, which are to be send back to the client, are stored in the 'netobuf' buffer. It is apparently assumed that the reply data is smaller than the buffer size, so no bounds checking is performed. By using a combination of options, especially the 'AYT' Are You There option, it is possible for a remote user to append data to the buffer. It is reported that the characters that can be written to the buffer are limited, which makes constructing a successful exploit difficult.

The report states that a working exploit has been developed for BSDI, NetBSD and FreeBSD. However, the exploit was not released.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the telnet server, which is typically root level privileges.
Solution:   The vendor has released a fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Debian)
Underlying OS Comments:  many Linux and Unix OSs are vulnerable, but not all - see the Alert text for more information

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2001 Telnet Daemons May Give Remote Users Root Level Access Privileges

 Source Message Contents

Subject:  [SECURITY] [DSA-070-1] netkit-telnet AYT buffer overflow

Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-070-1                             Robert van der Meulen
August 10, 2001
- ------------------------------------------------------------------------

Package        : netkit-telnet
Problem type   : remote exploit
Debian-specific: no

The telnet daemon contained in the netkit-telnet_0.16-4potato1 package in
the 'stable' (potato) distribution of Debian GNU/Linux is vulnerable to an
exploitable overflow in its output handling.
The original bug was found by <>, and announced to
bugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were
not believed to be vulnerable.
On Aug 10 2001, zen-parse posted an advisory based on the same problem, for
all netkit-telnet versions below 0.17.
More details can be found on .
As Debian uses the 'telnetd' user to run in.telnetd, this is not a remote
root compromise on Debian systems; the 'telnetd' user can be compromised.

We strongly advise you update your netkit-telnet packages to the versions
listed below.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:
      MD5 checksum: 7da3f346ec6f75cf9069a60627b5d846
      MD5 checksum: d829b432eec6a2ff0d866869445f1303
      MD5 checksum: 197bce85871845b0223b4fa9038c1cb3

  Alpha architecture:
      MD5 checksum: 8baae434348115c1a261858b851b3771
      MD5 checksum: f54812129a40d2c2df3d17817612274b

  ARM architecture:
      MD5 checksum: 0e0c673d7b4ec972c7206c8d3d7c33b6
      MD5 checksum: 8c6c832af4b2aa002fe5e7d28a9fe862

  Intel IA-32 architecture:
      MD5 checksum: 9bdc63c4b0dee55a5ded30203edfd619
      MD5 checksum: a65483b5f60a14b69ef81e51a596bd84

 Motorola 680x0 architecture:
      MD5 checksum: 93ddab1a31a37cc9495d0432cb05ff4e
      MD5 checksum: 487c5b972e568d7dff4e2ad71349dc57

  PowerPC architecture:
      MD5 checksum: 7e3d66416e88aa069d15d1cef64974b3
      MD5 checksum: 2738a29f80edeabc9fa7109253364dd0

  Sun Sparc architecture:
      MD5 checksum: fef54ee3d64113ff1cdb0d9f4437f34e
      MD5 checksum: 91469be1ac617b246e459210a11aca8e

  These packages will be moved into the stable distribution on its next

For not yet released architectures please refer to the appropriate
directory$arch/ .

- -- 
- ----------------------------------------------------------------------------
apt-get: deb stable/updates main
dpkg-ftp: dists/stable/updates/main
Mailing list:
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC