Date: Wed, 18 Jul 2001 21:30:04 -0700 From: Sean Chittenden <sean-freebsd-security@chittenden.org> To: freebsd-security@freebsd.org Subject: BUGTRAQ post re: "multiple vendor telnet daemon vulnerability" Message-ID: <20010718213004.Z77559@rand.tgd.net>
next in thread | raw e-mail | index | archive | help
--OUFKJBnicyeI7VqU Content-Type: multipart/mixed; boundary="n7zTieg8iIQ1Wja9" Content-Disposition: inline --n7zTieg8iIQ1Wja9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Here's the BUGTRAQ post. -sc --=20 Sean Chittenden --n7zTieg8iIQ1Wja9 Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <bugtraq-return-1029-sean-securityfocus-bugtraq=chittenden.org@securityfocus.com> Delivered-To: chittenden.org-sean-securityfocus-bugtraq@chittenden.org Received: (qmail 89668 invoked from network); 19 Jul 2001 03:32:37 -0000 Received: from search.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.6) by rand.tgd.net with SMTP; 19 Jul 2001 03:32:37 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 8E28B259A67; Wed, 18 Jul 2001 21:31:58 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:bugtraq-help@securityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 12709 invoked from network); 18 Jul 2001 22:20:32 -0000 Date: Wed, 18 Jul 2001 22:15:10 +0200 From: Sebastian <scut@nb.in-berlin.de> To: bugtraq@securityfocus.com Subject: multiple vendor telnet daemon vulnerability Message-ID: <20010718221510.A16174@nb.in-berlin.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="x+6KMIRAuhnl3hBn" Content-Disposition: inline User-Agent: Mutt/1.2.4i X-Sender: 520091045308-0001@t-dialin.net --x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This is a short version of the original advisory. Most details about exploiting this vulnerabilty have been removed after thinking about it. I do not release it because it makes me happy, and I would like you to plea= se not assume things about the reasons involving this posting. I wish things w= ould have worked out better for all of us. I do not want to get that much involv= ed into disclosure policies, but I am sure a lot of advocates from both sides = are going to flame me about this one. Please save yourself and me the time, I c= ould not care less. A few days ago some script kiddies have somehow got access to a copy of an exploit for this vulnerability. I do not know how it happened, but while I write this dozen of BSD hosts fall victim to clueless attackers. And please, again, I would like to ask you to not assume and speculate how this might has happened. The copy of the exploit was quite script-kiddie safe and requires no fiddling. It works out of the box. Please patch fast, or better disable telnetd at all. Btw, I do not think a simple patch will do it anyway, there are so many horrible bugs - also non security related - in telnetd beside this one. Just send some random junk at telnetd and see it die if you do not believe me. ciao, -scut ------ TESO Security Advisory 07/18/2001 Multiple vendor Telnet Daemon vulnerability Summary =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Within most of the current telnet daemons in use today there exist a bu= ffer overflow in the telnet option handling. Under certain circumstances it = may be possible to exploit it to gain root priviledges remotely. Systems Affected =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D System | vulnerable | exploitable * ----------------------------------------+--------------+---------------= --- BSDI 4.x default | yes | yes FreeBSD [2345].x default | yes | yes IRIX 6.5 | yes | no Linux netkit-telnetd < 0.14 | yes | ? Linux netkit-telnetd >=3D 0.14 | no | NetBSD 1.x default | yes | yes OpenBSD 2.x | yes | ? OpenBSD current | no | Solaris 2.x sparc | yes | ? <almost any other vendor's telnetd> | yes | ? ----------------------------------------+--------------+---------------= --- * =3D From our analysis and conclusions, which may not be correct or we= may have overseen things. Do not rely on this. Details about the systems can be found below. Impact =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Through sending a specially formed option string to the remote telnet daemon a remote attacker might be able to overwrite sensitive informati= on on the static memory pages. If done properly this may result in arbitra= ry code getting executed on the remote machine under the priviledges the telnet daemon runs on, usually root. Explanation =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Within every BSD derived telnet daemon under UNIX the telnet options are processed by the 'telrcv' function. This function parses the options according to the telnet protocol and its internal state. During this parsing the results which should be send back to the client are stored within the 'netobuf' buffer. This is done without any bounds checking, since it is assumed that the reply data is smaller than the buffer size (which is BUFSIZ bytes, usually). However, using a combination of options, especially the 'AYT' Are You T= here option, it is possible to append data to the buffer, usually nine bytes long. To trigger this response, two bytes in the input buffer are necessary. Since this input buffer is BUFSIZ bytes long, you can exceed= the output buffer by as much as (BUFSIZ / 2) * 9) - BUFSIZ bytes. For the common case that BUFSIZ is defined to be 1024, this results in a buffer overflow by up to 3584 bytes. On systems where BUFSIZ is defined to be 4096, this is an even greater value (14336). Due to the limited set of characters an attacker is able to write outsi= de of the buffer it is difficult - if not impossible on some systems - to exploit this buffer overflow. Another hurdle for a possible attacker ma= y be the lack of interesting information to modify after the buffer. This buffer overflow should be considered serious nevertheless, since experience has shown that even complicated vulnerabilities can be exploited by skilled attackers, BIND TSIG and SSH deattack come to mind. We have constructed a working exploit for any version of BSDI, NetBSD a= nd FreeBSD. Exploitation on Solaris sparc may be possible but if it is, it= is very difficult involving lots of arcane tricks. OpenBSD is not as easily exploitable as the other BSD's, because they do compile with other options by default, changing memory layout. Solution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The vendors have been notified of the problem at the same time as the general public, vendor patches for your telnet daemon that fix the bug = will show up soon. Sometimes a fix might not be trivial and require a lot of changes to the source code, due to the insecure nature the 'nfrontp' pointer is handle= d. The best long term solution is to disable the telnet daemon at all, sin= ce there are good and free replacements. Acknowledgements =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The bug has been discovered by scut. (It is easy to spot, so I do not want to rule out discoveries by other persons) The tests and further analysis were done by smiler, lorian, zip and scu= t. Contact Information =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The TESO crew can be reached by mailing to teso@team-teso.net Our web page is at http://www.team-teso.net/ References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [1] TESO http://www.team-teso.net/ Disclaimer =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This advisory does not claim to be complete or to be usable for any purpose. Especially information on the vulnerable systems may be inaccu= rate or wrong. Possibly supplied exploit code is not to be used for malicious purposes, but for educational purposes only. This advisory is free for open distribution in unmodified form. Articles that are based on information from this advisory should include link [1]. Exploit =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Not this time. Not here. ------ --=20 -. scut@nb.in-berlin.de -. + http://segfault.net/~scut/ `------------------= --. -' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8= E07 `- AFIWC control and information seized. awaiting orders. hi echelon ------= --' --x+6KMIRAuhnl3hBn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7Ve5NQn5t73RajgcRAnN7AKDS0wmMSpwu29J9jdBiuu59GXZGaQCghSjc VqoGwd+UxWuDFqEvPz3CuuU= =+r9F -----END PGP SIGNATURE----- --x+6KMIRAuhnl3hBn-- --n7zTieg8iIQ1Wja9-- --OUFKJBnicyeI7VqU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden <sean@chittenden.org> iEYEARECAAYFAjtWYksACgkQn09c7x7d+q1lFQCfVgRP9qbEELRM+ki821o8o4BL x+EAnRr6SO8qzIOOle5JHBoBpskDtlMm =VKcf -----END PGP SIGNATURE----- --OUFKJBnicyeI7VqU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010718213004.Z77559>