From owner-freebsd-security Thu Jul 19 0:48: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id A851837B401 for ; Thu, 19 Jul 2001 00:48:03 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6J7lMU71487; Thu, 19 Jul 2001 00:47:22 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 00:47:22 -0700 (PDT) From: Matt Dillon Message-Id: <200107190747.f6J7lMU71487@earth.backplane.com> To: Cy Schubert - ITSD Open Systems Group Cc: Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :I wouldn't be surprised that Kerberos IV and V telnetd's are also :vulnerable. The krb5 port will need to be patched when we patch the :base telnetd. : :Also, there are two telnetd's in the base tree. I'm sure everyone :knows this, I put my paranoid manager's hat on. : : :Regards, Phone: (250)387-8437 :Cy Schubert Fax: (250)387-5766 Lets see... There are actually *FOUR* telnetd's in our source tree. /usr/src/crypto/telnet/telnetd VULNERABLE /usr/src/libexec/telnetd VULNERABLE /usr/src/crypto/heimdal/appl/telnet/telnetd NOT VULNERABLE /usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c NOT VULNERABLE The heimdal and kerberosIV telnetd's call an output_data() function which does not allow the output buffer to overflow. The first two telnetd' just blindly copy the option data into the output buffer. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message