Date: Thu, 19 Jul 2001 10:22:30 -0500 From: "Jacques A. Vidrine" <n@nectar.com> To: Matt Dillon <dillon@earth.backplane.com> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Mike Tancsa <mike@sentex.net>, Kris Kennaway <kris@obsecurity.org>, security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <20010719102230.L27900@madman.nectar.com> In-Reply-To: <200107190747.f6J7lMU71487@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 12:47:22AM -0700 References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 19, 2001 at 12:47:22AM -0700, Matt Dillon wrote: > Lets see... There are actually *FOUR* telnetd's in our source tree. > > /usr/src/crypto/telnet/telnetd VULNERABLE > /usr/src/libexec/telnetd VULNERABLE > /usr/src/crypto/heimdal/appl/telnet/telnetd NOT VULNERABLE > /usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c NOT VULNERABLE > > The heimdal and kerberosIV telnetd's call an output_data() > function which does not allow the output buffer to overflow. The > first two telnetd' just blindly copy the option data into the output > buffer. Actually, Heimdal's telnetd _is_ vulnerable, but I don't know if it is exploitable. Sending it a big fat AYT gets it to crash with `seY[' on the stack. (gdb) bt #0 0x7365595b in ?? () #1 0x804dc8e in free () #2 0x804ac0d in free () #3 0x804b1bc in free () #4 0x804aac9 in free () #5 0x804a4c9 in free () (gdb) info reg eax 0x7365595b 1936021851 ecx 0xbfbff764 -1077938332 edx 0x9 9 ebx 0xff 255 esp 0xbfbff7f0 0xbfbff7f0 ebp 0xbfbff81c 0xbfbff81c esi 0xffffffff -1 edi 0x805c98a 134597002 eip 0x7365595b 0x7365595b eflags 0x10283 66179 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719102230.L27900>