Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Telnet Vendors:   [Multiple Authors/Vendors]
(Debian Issues Fix for Telnet/SSL on Sparc) Telnet Daemons May Give Remote Users Root Level Access Privileges
SecurityTracker Alert ID:  1002293
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   TESO reported that many BSD-derived Telnet daemons (servers) contain a vulnerability that may allow a remote user to obtain root level access on the server.

The vulnerability is reportedly due to a buffer overflow in the telnet option handling.

The following systems are reported to be vulnerable:

BSDI 4.x default, FreeBSD [2345].x default, IRIX 6.5, Linux netkit-telnetd < 0.14, NetBSD 1.x default, OpenBSD 2.x, Solaris 2.x sparc, and "almost any other vendor's telnetd".

A remote user can send a specially formatted option string to the remote telnet server and overwrite sensitive memory, causing arbitrary code to be executed with the privileges of the telnet server (which is typically root level privileges).

Telnet options are reportedly processed by the 'telrcv' function. The results of the parsing, which are to be send back to the client, are stored in the 'netobuf' buffer. It is apparently assumed that the reply data is smaller than the buffer size, so no bounds checking is performed. By using a combination of options, especially the 'AYT' Are You There option, it is possible for a remote user to append data to the buffer. It is reported that the characters that can be written to the buffer are limited, which makes constructing a successful exploit difficult.

The report states that a working exploit has been developed for BSDI, NetBSD and FreeBSD. However, the exploit was not released.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the telnet server, which is typically root level privileges.
Solution:   The vendor has released a fix for Debian's distribution of netkit-telnet-ssl for the Sparc platform. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.

Note that the vendor has also separately released fixes for netkit-telnet-ssl (on non-sparc platforms) and for netkit-telnet. These are discussed in separate Alerts. See the Message History for those Alerts.

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Debian)
Underlying OS Comments:  many Linux and Unix OSs are vulnerable, but not all - see the Alert text for more information

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2001 Telnet Daemons May Give Remote Users Root Level Access Privileges

 Source Message Contents

Subject:  [SECURITY] [DSA-075-2] [sparc-only] telnetd-ssl AYT buffer overflow

Hash: SHA1

- ----------------------------------------------------------------------------
Debian Security Advisory DSA 075-2                                            Martin Schulze
August 14, 2001
- ----------------------------------------------------------------------------

Package        : netkit-telnet-ssl
Vulnerability  : output buffer overflow
Problem-Type   : remote exploit
Debian-specific: no

This is a followup to the problem described in DSA 075-1.  Please read
the original advisory to find out more about the security problem.
This advisory and upload only fixes a problem with binary packages for
sparc that were mistakenly linked to the wrong library.

We recommend that you upgrade your netkit-telnet-ssl packages
immediately if you are running a sparc system.

wget url
	will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 2.2 alias potato
- ------------------------------------

  Sun Sparc architecture:
      MD5 checksum: 904e2032b596c5c3f322c7bc1367a13b
      MD5 checksum: 0195eb363ae3b4b8cf31b3377b39d6f7
      MD5 checksum: 77675569c391c62aaf91d0fecd3f4b08

  These files will be moved into the stable distribution on its next

- ----------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC