From owner-freebsd-security  Thu Jul 19  8:22:34 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id 35FAA37B405
	for <security@FreeBSD.ORG>; Thu, 19 Jul 2001 08:22:31 -0700 (PDT)
	(envelope-from nectar@nectar.com)
Received: from madman.nectar.com (madman.nectar.com [10.0.1.111])
	by gw.nectar.com (Postfix) with ESMTP
	id 87B3BAF22E; Thu, 19 Jul 2001 10:22:30 -0500 (CDT)
Received: (from nectar@localhost)
	by madman.nectar.com (8.11.3/8.11.3) id f6JFMUT29699;
	Thu, 19 Jul 2001 10:22:30 -0500 (CDT)
	(envelope-from nectar)
Date: Thu, 19 Jul 2001 10:22:30 -0500
From: "Jacques A. Vidrine" <n@nectar.com>
To: Matt Dillon <dillon@earth.backplane.com>
Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	Mike Tancsa <mike@sentex.net>, Kris Kennaway <kris@obsecurity.org>,
	security@FreeBSD.ORG
Subject: Re: FreeBSD remote root exploit ?
Message-ID: <20010719102230.L27900@madman.nectar.com>
References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200107190747.f6J7lMU71487@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 12:47:22AM -0700
X-Url: http://www.nectar.com/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Jul 19, 2001 at 12:47:22AM -0700, Matt Dillon wrote:
>     Lets see...  There are actually *FOUR* telnetd's in our source tree.
> 
>     /usr/src/crypto/telnet/telnetd				VULNERABLE
>     /usr/src/libexec/telnetd					VULNERABLE
>     /usr/src/crypto/heimdal/appl/telnet/telnetd			NOT VULNERABLE
>     /usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c	NOT VULNERABLE
> 
>     The heimdal and kerberosIV telnetd's call an output_data()
>     function which does not allow the output buffer to overflow.  The
>     first two telnetd' just blindly copy the option data into the output
>     buffer.

Actually, Heimdal's telnetd _is_ vulnerable, but I don't know if it is
exploitable.  Sending it a big fat AYT gets it to crash with `seY[' on
the stack.

(gdb) bt
#0  0x7365595b in ?? ()
#1  0x804dc8e in free ()
#2  0x804ac0d in free ()
#3  0x804b1bc in free ()
#4  0x804aac9 in free ()
#5  0x804a4c9 in free ()
(gdb) info reg
eax            0x7365595b       1936021851
ecx            0xbfbff764       -1077938332
edx            0x9      9
ebx            0xff     255
esp            0xbfbff7f0       0xbfbff7f0
ebp            0xbfbff81c       0xbfbff81c
esi            0xffffffff       -1
edi            0x805c98a        134597002
eip            0x7365595b       0x7365595b
eflags         0x10283  66179
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47

Cheers,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message