Date: Thu, 19 Jul 2001 09:57:16 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: "Jacques A. Vidrine" <n@nectar.com> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Mike Tancsa <mike@sentex.net>, Kris Kennaway <kris@obsecurity.org>, security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <200107191657.f6JGvG574763@earth.backplane.com> References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:Actually, Heimdal's telnetd _is_ vulnerable, but I don't know if it is
:exploitable. Sending it a big fat AYT gets it to crash with `seY[' on
:the stack.
Oh joy. Hmm. Then I don't know... it calls output_data() to generate
the AYT answer, I don't see anything particularly wrong with the code
unless nfrontp exceeds BUFSIZ. That's fragile, it could be that something
else is causing nfrontp to exceed BUFSIZ and breaks the snprintf()
'remaining' calculation in output_data().
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107191657.f6JGvG574763>