From nobody Thu Mar 16 10:35:24 2023
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PckDX2g9Yz3yghD
	for <bugs@mlmmj.nyi.freebsd.org>; Thu, 16 Mar 2023 10:35:24 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PckDX0nSZz4BfS
	for <bugs@FreeBSD.org>; Thu, 16 Mar 2023 10:35:24 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1678962924;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=IY9gd707WxIJpM6feeQmwu6tHrhFnmQh4xVz6b+07u8=;
	b=KtxrCBmKYsx1hcSwtvwRg41rRgeZOt0q6J6UC1xqOIZdVlcNdhv4zNmYbdknFf9LnMcKly
	d/8Ai1hL4dIVnV0y9eOa4GtpAi8+jgB0UwSLPlX1ssii0yHP60jvEaPctlsEpG0cR6h8oa
	mjoyoEJmmmeXrpnDdogsIHPy0cok4h6fEEkMPt/Kk20eb7W4BGrI8hd2vEmTk+ZI4kVgga
	zvQLrJtA5U0zWrXqSJh2LWiYL5zNrH78KJoQXuyuR/Bkj7V820NxaWetUtRK1Hz9PmPjHI
	BDnrKjnCSDSq11f17gPSdqc9/egamx8lXMYTkqkVg1VodKPxeZWvApQJZpDOaQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678962924; a=rsa-sha256; cv=none;
	b=cUuWf2ZlfZQXNKgWCYVh8XpuJlNFVtLLbH8cDZAamE6qS6VSwxXJp7yISFuiGsmYs7PxPk
	xebB+1oPIqVvmwQZfv3mU8vWclBNcFJEXhUCLNe8cyvEb58IV1zfuimh0VFhUYUGP/yajE
	JdmXp4x9Gzyk3z2FJh3Ybm/Jz5ETDpgEFfzMxPtapSuiPRGcVOorYiDGFq1PHLRXMYu4Ja
	fN2zrH5WlOV+DkH9OOyDI3B225kO7KC4EWwtfNUdC+u2i4E4EBiCNJ7HbKcyznhNFTSuYS
	0Ha0jnxQbT8O7msbSrkLWRyU9AacLU8KfENgnmAS357wHjH+D6szED754Nztew==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PckDW6yNjzgW8
	for <bugs@FreeBSD.org>; Thu, 16 Mar 2023 10:35:23 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 32GAZNo4054565
	for <bugs@FreeBSD.org>; Thu, 16 Mar 2023 10:35:23 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 32GAZNCw054564
	for bugs@FreeBSD.org; Thu, 16 Mar 2023 10:35:23 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 270263] telnet buffer overflow if server sends long
 TELQUAL_NAME for sra
Date: Thu, 16 Mar 2023 10:35:24 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.mimetype attachments.created
Message-ID: <bug-270263-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270263

            Bug ID: 270263
           Summary: telnet buffer overflow if server sends long
                    TELQUAL_NAME for sra
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #240895 text/plain
         mime type:

Created attachment 240895
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D240895&action=
=3Dedit
telnet server that overflows telnet's uprompt[] in sra_reply()

telnet's auth_name() allows the name in TELQUAL_NAME to be up to 255
bytes long:

  auth_name(unsigned char *data, int cnt)
    unsigned char savename[256];
    if ((size_t)cnt > sizeof(savename) - 1) {
      error...
    auth_encrypt_user(savename)

auth_encrypt_user() copies the name to UserNameRequested.

But sra_reply() says:

        char uprompt[256],tuser[256];
        ...;
        sprintf(uprompt,"User (%s): ",UserNameRequested);

uprompt[] isn't guaranteed to be big enough, so sprintf can overflow upromp=
t[].

I've attached a demo telnet server. You may have to re-compile libtelnet
and telnet with -fsanitize=3Daddress to reliably see a problem:

# cc telnet17d.c
# ./a.out
listening...

And in another window:

# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D34863=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffdfa0 at pc 0x0000010a77e3 bp 0x7fffffffcfe0 sp 0x7fffffffc7a8
WRITE of size 252 at 0x7fffffffdfa0 thread T0
    #0 0x10a77e2 in memcpy
/usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_co=
mmon_interceptors.inc:899:5
    #1 0x80173809d in __sfvwrite /usr/src/lib/libc/stdio/fvwrite.c:132:6
    #2 0x801740c5b in __sprint /usr/src/lib/libc/stdio/vfprintf.c:166:8
    #3 0x801740c5b in io_flush /usr/src/lib/libc/stdio/printfcommon.h:157:10
    #4 0x801740c5b in __vfprintf /usr/src/lib/libc/stdio/vfprintf.c:1033:3
    #5 0x80174910d in vsprintf_l /usr/src/lib/libc/stdio/vsprintf.c:62:8
    #6 0x80174910d in vsprintf /usr/src/lib/libc/stdio/vsprintf.c:69:9
    #7 0x10aeac2 in vsprintf
/usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_co=
mmon_interceptors.inc:1765:1
    #8 0x10af2c6 in sprintf
/usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_co=
mmon_interceptors.inc:1808:1
    #9 0x1150c70 in sra_reply /usr/src/contrib/telnet/libtelnet/sra.c:273:3
    #10 0x113ed83 in suboption /usr/src/contrib/telnet/telnet/telnet.c:944:4
    #11 0x113d521 in telrcv /usr/src/contrib/telnet/telnet/telnet.c:1874:7
    #12 0x113fc5e in Scheduler /usr/src/contrib/telnet/telnet/telnet.c:2098=
:17
    #13 0x113f2d9 in telnet /usr/src/contrib/telnet/telnet/telnet.c:2163:6
    #14 0x112c65a in tn /usr/src/contrib/telnet/telnet/commands.c:2497:5
    #15 0x113448a in main /usr/src/contrib/telnet/telnet/main.c:374:7

Address 0x7fffffffdfa0 is located in stack of thread T0 at offset 288 in fr=
ame
    #0 0x11508ef in sra_reply /usr/src/contrib/telnet/libtelnet/sra.c:247

  This frame has 3 object(s):
    [32, 288) 'uprompt' (line 248)
    [352, 608) 'tuser' (line 248) <=3D=3D Memory access at offset 288 parti=
ally
underflows this variable
    [672, 688) 'skey' (line 249)

--=20
You are receiving this mail because:
You are the assignee for the bug.=