Date: Thu, 19 Jul 2001 00:47:22 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: Mike Tancsa <mike@sentex.net>, Kris Kennaway <kris@obsecurity.org>, security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <200107190747.f6J7lMU71487@earth.backplane.com> References: <200107190547.f6J5lmD66188@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:I wouldn't be surprised that Kerberos IV and V telnetd's are also
:vulnerable. The krb5 port will need to be patched when we patch the
:base telnetd.
:
:Also, there are two telnetd's in the base tree. I'm sure everyone
:knows this, I put my paranoid manager's hat on.
:
:
:Regards, Phone: (250)387-8437
:Cy Schubert Fax: (250)387-5766
Lets see... There are actually *FOUR* telnetd's in our source tree.
/usr/src/crypto/telnet/telnetd VULNERABLE
/usr/src/libexec/telnetd VULNERABLE
/usr/src/crypto/heimdal/appl/telnet/telnetd NOT VULNERABLE
/usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c NOT VULNERABLE
The heimdal and kerberosIV telnetd's call an output_data()
function which does not allow the output buffer to overflow. The
first two telnetd' just blindly copy the option data into the output
buffer.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107190747.f6J7lMU71487>