Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Jul 2001 10:22:30 -0500
From:      "Jacques A. Vidrine" <n@nectar.com>
To:        Matt Dillon <dillon@earth.backplane.com>
Cc:        Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Mike Tancsa <mike@sentex.net>, Kris Kennaway <kris@obsecurity.org>, security@FreeBSD.ORG
Subject:   Re: FreeBSD remote root exploit ?
Message-ID:  <20010719102230.L27900@madman.nectar.com>
In-Reply-To: <200107190747.f6J7lMU71487@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 12:47:22AM -0700
References:  <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Jul 19, 2001 at 12:47:22AM -0700, Matt Dillon wrote:
>     Lets see...  There are actually *FOUR* telnetd's in our source tree.
> 
>     /usr/src/crypto/telnet/telnetd				VULNERABLE
>     /usr/src/libexec/telnetd					VULNERABLE
>     /usr/src/crypto/heimdal/appl/telnet/telnetd			NOT VULNERABLE
>     /usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c	NOT VULNERABLE
> 
>     The heimdal and kerberosIV telnetd's call an output_data()
>     function which does not allow the output buffer to overflow.  The
>     first two telnetd' just blindly copy the option data into the output
>     buffer.

Actually, Heimdal's telnetd _is_ vulnerable, but I don't know if it is
exploitable.  Sending it a big fat AYT gets it to crash with `seY[' on
the stack.

(gdb) bt
#0  0x7365595b in ?? ()
#1  0x804dc8e in free ()
#2  0x804ac0d in free ()
#3  0x804b1bc in free ()
#4  0x804aac9 in free ()
#5  0x804a4c9 in free ()
(gdb) info reg
eax            0x7365595b       1936021851
ecx            0xbfbff764       -1077938332
edx            0x9      9
ebx            0xff     255
esp            0xbfbff7f0       0xbfbff7f0
ebp            0xbfbff81c       0xbfbff81c
esi            0xffffffff       -1
edi            0x805c98a        134597002
eip            0x7365595b       0x7365595b
eflags         0x10283  66179
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47

Cheers,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719102230.L27900>