From owner-freebsd-security Thu Jul 19 9:57:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id D64ED37B406 for ; Thu, 19 Jul 2001 09:57:21 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JGvG574763; Thu, 19 Jul 2001 09:57:16 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 09:57:16 -0700 (PDT) From: Matt Dillon Message-Id: <200107191657.f6JGvG574763@earth.backplane.com> To: "Jacques A. Vidrine" Cc: Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :Actually, Heimdal's telnetd _is_ vulnerable, but I don't know if it is :exploitable. Sending it a big fat AYT gets it to crash with `seY[' on :the stack. Oh joy. Hmm. Then I don't know... it calls output_data() to generate the AYT answer, I don't see anything particularly wrong with the code unless nfrontp exceeds BUFSIZ. That's fragile, it could be that something else is causing nfrontp to exceed BUFSIZ and breaks the snprintf() 'remaining' calculation in output_data(). -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message