From owner-freebsd-security Thu Jul 19 10:57:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 3CB6D37B406 for ; Thu, 19 Jul 2001 10:57:04 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f6JHupL14475; Thu, 19 Jul 2001 13:56:51 -0400 (EDT) (envelope-from str) Date: Thu, 19 Jul 2001 13:56:51 -0400 (EDT) From: Igor Roshchin Message-Id: <200107191756.f6JHupL14475@giganda.komkon.org> To: chris@jeah.net, ml@db.nexgen.com Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Cc: security@FreeBSD.ORG In-Reply-To: <20010719123906.D71473-100000@awww.jeah.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It is /usr/src/crypto/telnet/telnetd that is patched by the patch in question. /usr/src/libexec/telnetd is not touched. So, does not seem to be incorrect. The correct directory would be /usr/src/secure/libexec/telnetd So, cd /usr/src/secure/libexec/telnetd make all make install ... However, in my case (4.3-RELEASE) the compile failed, (the patch seemed to apply cleanly). Below is make's output. Igor ...secure/libexec/telnetd#make Warning: Object directory not changed from original /usr/src/secure/libexec/telnetd cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/global.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/slc.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/state.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/sys_term.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/termstat.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/utility.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/authenc.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -o telnetd global.o slc.o state.o sys_term.o telnetd.o termstat.o utility.o authenc.o -lutil -ltermcap -L/usr/src/secure/libexec/telnetd/../../lib/libtelnet -ltelnet -lcrypto -lcrypt -lmp /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_init': kerberos.o(.text+0x114): undefined reference to `krb_get_default_keyfile' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_send': kerberos.o(.text+0x1a6): undefined reference to `krb_get_phost' kerberos.o(.text+0x1e3): undefined reference to `krb_realmofhost' kerberos.o(.text+0x21a): undefined reference to `krb_mk_req' kerberos.o(.text+0x22b): undefined reference to `krb_err_txt' kerberos.o(.text+0x24d): undefined reference to `krb_get_cred' kerberos.o(.text+0x25e): undefined reference to `krb_err_txt' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_is': kerberos.o(.text+0x456): undefined reference to `krb_get_lrealm' kerberos.o(.text+0x53c): undefined reference to `krb_rd_req' kerberos.o(.text+0x56c): undefined reference to `krb_err_txt' kerberos.o(.text+0x5a2): undefined reference to `krb_kntoln' kerberos.o(.text+0x5c1): undefined reference to `kuserok' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_status': kerberos.o(.text+0x89e): undefined reference to `kuserok' *** Error code 1 Stop in /usr/src/secure/libexec/telnetd. > Date: Thu, 19 Jul 2001 12:39:43 -0500 (CDT) > From: Chris Byrnes > To: alexus > Cc: > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > On Thu, 19 Jul 2001, alexus wrote: > > > uh. ok:) > > > > this part is done.. should i recompile telnetd now somehow? if so then > > how?:) > > > > ----- Original Message ----- > > From: "Pierre-Luc Lespérance" > > To: > > Sent: Thursday, July 19, 2001 1:28 PM > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > alexus wrote: > > > > > > > > could you also include some sort of instruction how to apply it? > > > > > > > > thanks in advance > > > > > > > > ----- Original Message ----- > > > > From: "Ruslan Ermilov" > > > > To: "Przemyslaw Frasunek" > > > > Cc: > > > > Sent: Thursday, July 19, 2001 1:14 PM > > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > > > The patch is available at: > > > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > > > > Cheers, > > > > > -- > > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > > ru@sunbay.com Sunbay Software AG, > > > > > ru@FreeBSD.org FreeBSD committer, > > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > go to /usr/src/crypto/telnet/telnetd > > > and type > > > shell~# patch -p < /where/is/the/file.patch > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message