From owner-freebsd-security Thu Jul 19 0:50:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id B7C3337B401 for ; Thu, 19 Jul 2001 00:50:34 -0700 (PDT) (envelope-from keith.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 3002C10A9; Thu, 19 Jul 2001 03:50:34 -0400 (EDT) Received: by osaka.louisville.edu (Postfix, from userid 15) id 2962C1862E; Thu, 19 Jul 2001 03:50:30 -0400 (EDT) Date: Thu, 19 Jul 2001 03:50:30 -0400 From: Keith Stevenson To: Joseph Gleason Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: remote root vulnerability Message-ID: <20010719035029.A37336@osaka.louisville.edu> References: <002b01c10fce$18317aa0$0b2d2d0a@battleship> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002b01c10fce$18317aa0$0b2d2d0a@battleship>; from clash@tasam.com on Wed, Jul 18, 2001 at 05:10:38PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 18, 2001 at 05:10:38PM -0400, Joseph Gleason wrote: > Anyone know if this is real? I received it from a source I don't have any > strong reason to trust. (advisory text trimmed) It looks like it. The recv_ayt() function in telnetd.c does appear to behave in the manner described in the advisory. Nine bytes are strcpy()'d into nfrontp and then nfrontp itself is incremented by nine. I don't see any check to make sure that nfrontp isn't incremented past the end of the buffer that has been allocated for it. Quickly glancing through the code, I find several instances of something being copied into the buffer and then increment the pointer by the number of bytes copied. This seems to be an idiom in this code. I don't consider myself to be a pointer manipulation wizard (especially at 0347 local time), but I don't see any safety checks on the nfrontp manipulations anywhere in the code. I examined src/libexec/telnetd/telnetd.c version 1.22.2.5 from FreeBSD-4.3. I didn't see anything in the commitlogs which make me think that CURRENT is any different. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville keith.stevenson@louisville.edu GPG key fingerprint = 332D 97F0 6321 F00F 8EE7 2D44 00D8 F384 75BB 89AE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message