Date: Thu, 16 Mar 2023 10:35:24 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 270263] telnet buffer overflow if server sends long TELQUAL_NAME for sra Message-ID: <bug-270263-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270263 Bug ID: 270263 Summary: telnet buffer overflow if server sends long TELQUAL_NAME for sra Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #240895 text/plain mime type: Created attachment 240895 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D240895&action= =3Dedit telnet server that overflows telnet's uprompt[] in sra_reply() telnet's auth_name() allows the name in TELQUAL_NAME to be up to 255 bytes long: auth_name(unsigned char *data, int cnt) unsigned char savename[256]; if ((size_t)cnt > sizeof(savename) - 1) { error... auth_encrypt_user(savename) auth_encrypt_user() copies the name to UserNameRequested. But sra_reply() says: char uprompt[256],tuser[256]; ...; sprintf(uprompt,"User (%s): ",UserNameRequested); uprompt[] isn't guaranteed to be big enough, so sprintf can overflow upromp= t[]. I've attached a demo telnet server. You may have to re-compile libtelnet and telnet with -fsanitize=3Daddress to reliably see a problem: # cc telnet17d.c # ./a.out listening... And in another window: # telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D34863=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffdfa0 at pc 0x0000010a77e3 bp 0x7fffffffcfe0 sp 0x7fffffffc7a8 WRITE of size 252 at 0x7fffffffdfa0 thread T0 #0 0x10a77e2 in memcpy /usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_co= mmon_interceptors.inc:899:5 #1 0x80173809d in __sfvwrite /usr/src/lib/libc/stdio/fvwrite.c:132:6 #2 0x801740c5b in __sprint /usr/src/lib/libc/stdio/vfprintf.c:166:8 #3 0x801740c5b in io_flush /usr/src/lib/libc/stdio/printfcommon.h:157:10 #4 0x801740c5b in __vfprintf /usr/src/lib/libc/stdio/vfprintf.c:1033:3 #5 0x80174910d in vsprintf_l /usr/src/lib/libc/stdio/vsprintf.c:62:8 #6 0x80174910d in vsprintf /usr/src/lib/libc/stdio/vsprintf.c:69:9 #7 0x10aeac2 in vsprintf /usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_co= mmon_interceptors.inc:1765:1 #8 0x10af2c6 in sprintf /usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_co= mmon_interceptors.inc:1808:1 #9 0x1150c70 in sra_reply /usr/src/contrib/telnet/libtelnet/sra.c:273:3 #10 0x113ed83 in suboption /usr/src/contrib/telnet/telnet/telnet.c:944:4 #11 0x113d521 in telrcv /usr/src/contrib/telnet/telnet/telnet.c:1874:7 #12 0x113fc5e in Scheduler /usr/src/contrib/telnet/telnet/telnet.c:2098= :17 #13 0x113f2d9 in telnet /usr/src/contrib/telnet/telnet/telnet.c:2163:6 #14 0x112c65a in tn /usr/src/contrib/telnet/telnet/commands.c:2497:5 #15 0x113448a in main /usr/src/contrib/telnet/telnet/main.c:374:7 Address 0x7fffffffdfa0 is located in stack of thread T0 at offset 288 in fr= ame #0 0x11508ef in sra_reply /usr/src/contrib/telnet/libtelnet/sra.c:247 This frame has 3 object(s): [32, 288) 'uprompt' (line 248) [352, 608) 'tuser' (line 248) <=3D=3D Memory access at offset 288 parti= ally underflows this variable [672, 688) 'skey' (line 249) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-270263-227>