SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Telnet Vendors:   [Multiple Authors/Vendors]
(Debian Issues Fix for Telnet/SSL Package) Telnet Daemons May Give Remote Users Root Level Access Privileges
SecurityTracker Alert ID:  1002290
SecurityTracker URL:  http://securitytracker.com/id/1002290
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   TESO reported that many BSD-derived Telnet daemons (servers) contain a vulnerability that may allow a remote user to obtain root level access on the server.

The vulnerability is reportedly due to a buffer overflow in the telnet option handling.

The following systems are reported to be vulnerable:

BSDI 4.x default, FreeBSD [2345].x default, IRIX 6.5, Linux netkit-telnetd < 0.14, NetBSD 1.x default, OpenBSD 2.x, Solaris 2.x sparc, and "almost any other vendor's telnetd".

A remote user can send a specially formatted option string to the remote telnet server and overwrite sensitive memory, causing arbitrary code to be executed with the privileges of the telnet server (which is typically root level privileges).

Telnet options are reportedly processed by the 'telrcv' function. The results of the parsing, which are to be send back to the client, are stored in the 'netobuf' buffer. It is apparently assumed that the reply data is smaller than the buffer size, so no bounds checking is performed. By using a combination of options, especially the 'AYT' Are You There option, it is possible for a remote user to append data to the buffer. It is reported that the characters that can be written to the buffer are limited, which makes constructing a successful exploit difficult.

The report states that a working exploit has been developed for BSDI, NetBSD and FreeBSD. However, the exploit was not released.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the telnet server, which is typically root level privileges.
Solution:   The vendor has released a fix for the netkit-telnet-ssl package. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.

Note that Debian has also issued a fix for netkit-telnet, which is described in a separate alert. See the Message History for information about that package.

Vendor URL:  www.debian.org/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Debian)
Underlying OS Comments:  many Linux and Unix OSs are vulnerable, but not all - see the Alert text for more information

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2001 Telnet Daemons May Give Remote Users Root Level Access Privileges



 Source Message Contents

Subject:  [SECURITY] [DSA-075-1] telnetd-ssl AYT buffer overflow


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-075-1                   security@debian.org
http://www.debian.org/security/                    Robert van der Meulen
August 14, 2001
- ------------------------------------------------------------------------


Package        : netkit-telnet-ssl
Problem type   : remote exploit
Debian-specific: no

The telnet daemon contained in the netkit-telnet-ssl_0.16.3-1 package in
the 'stable' (potato) distribution of Debian GNU/Linux is vulnerable to an
exploitable overflow in its output handling.
The original bug was found by <scut@nb.in-berlin.de>, and announced to
bugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were
not believed to be vulnerable.
On Aug 10 2001, zen-parse posted an advisory based on the same problem, for
all netkit-telnet versions below 0.17.
More details can be found on http://www.securityfocus.com/archive/1/203000 .
As Debian uses the 'telnetd' user to run in.telnetd, this is not a remote
root compromise on Debian systems; the 'telnetd' user can be compromised.

We strongly advise you update your netkit-telnet-ssl packages to the versions
listed below.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:
    http://security.debian.org/dists/stable/updates/main/source/netkit-telnet-ssl_0.16.3-1.1.diff.gz
      MD5 checksum: 953d3006b9491a441799f73633a72f05
    http://security.debian.org/dists/stable/updates/main/source/netkit-telnet-ssl_0.16.3-1.1.dsc
      MD5 checksum: aed9ded4b4d69dd852dfd5320a8a9cf5
    http://security.debian.org/dists/stable/updates/main/source/netkit-telnet-ssl_0.16.3.orig.tar.gz
      MD5 checksum: 999a416e11e9a9750b0ec2428eeabe1d

  Alpha architecture:
    http://security.debian.org/dists/stable/updates/main/binary-alpha/ssltelnet_0.16.3-1.1_alpha.deb
      MD5 checksum: 92680b907a65008e04cc0cf16ce1d87f
    http://security.debian.org/dists/stable/updates/main/binary-alpha/telnet-ssl_0.16.3-1.1_alpha.deb
      MD5 checksum: 4d4f6e8ee1e06eacb416de4733f45170
    http://security.debian.org/dists/stable/updates/main/binary-alpha/telnetd-ssl_0.16.3-1.1_alpha.deb
      MD5 checksum: dec52e65bb6304fd353e2af33adedb7c

  ARM architecture:
    http://security.debian.org/dists/stable/updates/main/binary-arm/ssltelnet_0.16.3-1.1_arm.deb
      MD5 checksum: 668f8343d7e6ed824a55d8510723cc2a
    http://security.debian.org/dists/stable/updates/main/binary-arm/telnet-ssl_0.16.3-1.1_arm.deb
      MD5 checksum: c3bacf45513033a66bfefcf370e295c9
    http://security.debian.org/dists/stable/updates/main/binary-arm/telnetd-ssl_0.16.3-1.1_arm.deb
      MD5 checksum: 3241dbd7380b97edec177305694891ae

  Intel IA-32 architecture:
    http://security.debian.org/dists/stable/updates/main/binary-i386/ssltelnet_0.16.3-1.1_i386.deb
      MD5 checksum: aec70bdc25994a1a885fac130a426ddc
    http://security.debian.org/dists/stable/updates/main/binary-i386/telnet-ssl_0.16.3-1.1_i386.deb
      MD5 checksum: 4b97d30b1417a9e2ebb8d941c9486451
    http://security.debian.org/dists/stable/updates/main/binary-i386/telnetd-ssl_0.16.3-1.1_i386.deb
      MD5 checksum: a6d456dc0a9789436dd4f92ace9dadf6

  Motorola 680x0 architecture:
    http://security.debian.org/dists/stable/updates/main/binary-m68k/ssltelnet_0.16.3-1.1_m68k.deb
      MD5 checksum: a38f77d83afc1daeb9b23a91cdd90478
    http://security.debian.org/dists/stable/updates/main/binary-m68k/telnet-ssl_0.16.3-1.1_m68k.deb
      MD5 checksum: 0cb485fb260ac74b411b8b82bd299d04
    http://security.debian.org/dists/stable/updates/main/binary-m68k/telnetd-ssl_0.16.3-1.1_m68k.deb
      MD5 checksum: 3c6cfd4542145edac7a9c4b55a59a896

  PowerPC architecture:
    http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssltelnet_0.16.3-1.1_powerpc.deb
      MD5 checksum: 983ec249db831da8f01e730f5265207e
    http://security.debian.org/dists/stable/updates/main/binary-powerpc/telnet-ssl_0.16.3-1.1_powerpc.deb
      MD5 checksum: f069f9a731337b7bcc60db23ca2707ee
    http://security.debian.org/dists/stable/updates/main/binary-powerpc/telnetd-ssl_0.16.3-1.1_powerpc.deb
      MD5 checksum: 3627da7c28bb071a157f2cab29bd4ad9

  Sun Sparc architecture:
    http://security.debian.org/dists/stable/updates/main/binary-sparc/ssltelnet_0.16.3-1.1_sparc.deb
      MD5 checksum: 7c108a2fd7d4a86513baa3849076882a
    http://security.debian.org/dists/stable/updates/main/binary-sparc/telnet-ssl_0.16.3-1.1_sparc.deb
      MD5 checksum: 8951b3d32c086ba5fe81a3f62578dd89
    http://security.debian.org/dists/stable/updates/main/binary-sparc/telnetd-ssl_0.16.3-1.1_sparc.deb
      MD5 checksum: 5ca8897ae2bb3afeb3a0c1b0f34677bc

  These packages will be moved into the stable distribution on its next
  revision.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- -- 
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7eSu0FLJHZigagQ4RAtV/AJ4qx2aStYduXzDhetoslQw52ezeeACcDCeo
naqx0Eyplu6pODDYuv9iD98=
=Vyh4
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC