SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Telnet Vendors:   [Multiple Authors/Vendors]
(Sun Issues Fix) Re: Telnet Daemons May Give Remote Users Root Level Access Privileges
SecurityTracker Alert ID:  1002987
SecurityTracker URL:  http://securitytracker.com/id/1002987
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 15 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   TESO reported that many BSD-derived Telnet daemons (servers) contain a vulnerability that may allow a remote user to obtain root level access on the server.

The vulnerability is reportedly due to a buffer overflow in the telnet option handling.

The following systems are reported to be vulnerable:

BSDI 4.x default, FreeBSD [2345].x default, IRIX 6.5, Linux netkit-telnetd < 0.14, NetBSD 1.x default, OpenBSD 2.x, Solaris 2.x sparc, and "almost any other vendor's telnetd".

A remote user can send a specially formatted option string to the remote telnet server and overwrite sensitive memory, causing arbitrary code to be executed with the privileges of the telnet server (which is typically root level privileges).

Telnet options are reportedly processed by the 'telrcv' function. The results of the parsing, which are to be send back to the client, are stored in the 'netobuf' buffer. It is apparently assumed that the reply data is smaller than the buffer size, so no bounds checking is performed. By using a combination of options, especially the 'AYT' Are You There option, it is possible for a remote user to append data to the buffer. It is reported that the characters that can be written to the buffer are limited, which makes constructing a successful exploit difficult.

The report states that a working exploit has been developed for BSDI, NetBSD and FreeBSD. However, the exploit was not released.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the telnet server, which is typically root level privileges.
Solution:   This issue is addressed in the following releases:

SPARC

Solstice Enterprise Authentication Mechanism (SEAM) 1.0.1 for
Solaris 8 with patch 110060-08 or later

Intel

Solstice Enterprise Authentication Mechanism (SEAM) 1.0.1 for
Solaris 8 with patch 110061-08 or later

Vendor URL:  sunsolve.sun.com/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  many Linux and Unix OSs are vulnerable, but not all - see the Alert text for more information

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2001 Telnet Daemons May Give Remote Users Root Level Access Privileges



 Source Message Contents

Subject:  Using Kerberized Telnet with Solaris 8 May Lead to Unauthorized Root


DOCUMENT ID: 40035 
SYNOPSIS: Using Kerberized Telnet with Solaris 8 May Lead to
Unauthorized Root Access 
DETAIL DESCRIPTION: 

Sun(sm) Alert Notification 

     Sun Alert ID: 40035 

     Synopsis: Using Kerberized Telnet with Solaris 8 May Lead to
Unauthorized Root Access 

     Category: Security 

     Product: Solaris Enterprise Authentication Mechanism (SEAM) 
     BugIDs: 4491825 
     Avoidance: Patch 

     State: Resolved 
     Date Released: 14-Dec-2001 
     Date Closed: 14-Dec-2001 
     Date Modified: 

1. Impact 

Unprivileged local or remote users may be able to gain unauthorized root
access due to a security vulnerability in the SEAM Kerberos V5 version
of telnet. 

2. Contributing Factors 

This issue can occur in the following releases: 

SPARC 

     Solstice Enterprise Authentication Mechanism (SEAM) 1.0.1 for
Solaris 8 without patch 110060-08 

Intel 

     Solstice Enterprise Authentication Mechanism (SEAM) 1.0.1 for
Solaris 8 without patch 110061-08 

Note: Solaris 7 and below are not affected. The described issue only
occurs if Kerberos is used as login authentication mechanism. 

SEAM is an unbundled product, available for Solaris 2.6, 7, and 8. The
kerberized telnet is part of the "SUNWkr5sv" package. For more
information on SEAM
please see the SEAM(5) man page. 

3. Symptoms 

There are no symptoms that would show the described issue has already
been exploited to gain unauthorized root access to a system. 


SOLUTION SUMMARY: 

4. Relief/Workaround 

As a possible workaround, the kerberized version of telnet might be
disabled by the following steps: 

1. Edit the "/etc/inetd.conf" file and comment out the following line by
adding the '#' symbol as follows: 

    #telnet stream  tcp     nowait  root    /usr/krb5/lib/telnetd
telnetd                  

2. Make the inetd(1M) process reread the modified "/etc/inetd.conf" file
by sending it a hangup signal, "SIGHUP": 

    # pkill -HUP inetd                  

5. Resolution 

This issue is addressed in the following releases: 

SPARC 

     Solstice Enterprise Authentication Mechanism (SEAM) 1.0.1 for
Solaris 8 with patch 110060-08 or later 

Intel 

     Solstice Enterprise Authentication Mechanism (SEAM) 1.0.1 for
Solaris 8 with patch 110061-08 or later 

The issue described in this Sun(sm) Alert document may or may not be
experienced by your particular system(s). The information in this
Sun(sm) Alert
document may be based upon information received from third-parties. It
is being provided to you "AS IS", for informational purposes only. Sun
does not
make any representations, warranties, or guaranties as to the quality,
suitability, truth, accuracy or completeness of any of the information.
Sun shall not
be liable for any losses or damages suffered as a result of Customer's
use or non-use of the information. 


APPLIES TO: 
ATTACHMENTS:



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC