Date: Thu, 19 Jul 2001 03:50:30 -0400 From: Keith Stevenson <keith.stevenson@louisville.edu> To: Joseph Gleason <clash@tasam.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: remote root vulnerability Message-ID: <20010719035029.A37336@osaka.louisville.edu> In-Reply-To: <002b01c10fce$18317aa0$0b2d2d0a@battleship>; from clash@tasam.com on Wed, Jul 18, 2001 at 05:10:38PM -0400 References: <002b01c10fce$18317aa0$0b2d2d0a@battleship>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 18, 2001 at 05:10:38PM -0400, Joseph Gleason wrote: > Anyone know if this is real? I received it from a source I don't have any > strong reason to trust. (advisory text trimmed) It looks like it. The recv_ayt() function in telnetd.c does appear to behave in the manner described in the advisory. Nine bytes are strcpy()'d into nfrontp and then nfrontp itself is incremented by nine. I don't see any check to make sure that nfrontp isn't incremented past the end of the buffer that has been allocated for it. Quickly glancing through the code, I find several instances of something being copied into the buffer and then increment the pointer by the number of bytes copied. This seems to be an idiom in this code. I don't consider myself to be a pointer manipulation wizard (especially at 0347 local time), but I don't see any safety checks on the nfrontp manipulations anywhere in the code. I examined src/libexec/telnetd/telnetd.c version 1.22.2.5 from FreeBSD-4.3. I didn't see anything in the commitlogs which make me think that CURRENT is any different. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville keith.stevenson@louisville.edu GPG key fingerprint = 332D 97F0 6321 F00F 8EE7 2D44 00D8 F384 75BB 89AE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719035029.A37336>