From owner-freebsd-security Thu Jul 19 11:47: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.jarna.com (mail.jarna.com [63.236.58.109]) by hub.freebsd.org (Postfix) with SMTP id 7638137B403 for ; Thu, 19 Jul 2001 11:46:55 -0700 (PDT) (envelope-from nevin@jarna.com) Received: (qmail 85286 invoked by uid 0); 19 Jul 2001 18:46:54 -0000 Received: from unknown (HELO njk) (66.7.227.67) by smtp.jarna.com with SMTP; 19 Jul 2001 18:46:54 -0000 From: "Nevin Kapoor" To: Subject: RE: [PATCH] Re: FreeBSD remote root exploit ? Date: Thu, 19 Jul 2001 11:55:38 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200107191756.f6JHupL14475@giganda.komkon.org> X-Mimeole: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Folks, I think you folks have done an outstanding job at keeping everyone informed and up to date on this issue and I wanted to express my thanks for that. One quick note though.... I have been receiving email from people confused as to where exactly this patch should be applied, as well as who's steps are the proper steps to follow in the patching process. In reading back through the string of emails, and there are many as we all know, I can see how it could be confusing for people to know what exactly to patch... and what the proper steps are. I don't know that I am 100% positive myself anymore ;-) I was wondering if someone who is proactively working on this issue could post an email with "cookbook" style instructions detailing where the patch is to be applied, and what the correct steps are to apply the patch. I think this may relieve some of the confusion. Thanks again. /nk -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Igor Roshchin Sent: Thursday, July 19, 2001 10:57 AM To: chris@jeah.net; ml@db.nexgen.com Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? It is /usr/src/crypto/telnet/telnetd that is patched by the patch in question. /usr/src/libexec/telnetd is not touched. So, does not seem to be incorrect. The correct directory would be /usr/src/secure/libexec/telnetd So, cd /usr/src/secure/libexec/telnetd make all make install ... However, in my case (4.3-RELEASE) the compile failed, (the patch seemed to apply cleanly). Below is make's output. Igor ...secure/libexec/telnetd#make Warning: Object directory not changed from original /usr/src/secure/libexec/telnetd cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/global.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/slc.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/state.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/sys_term.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/termstat.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/utility.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/authenc.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -o telnetd global.o slc.o state.o sys_term.o telnetd.o termstat.o utility.o authenc.o -lutil -ltermcap -L/usr/src/secure/libexec/telnetd/../../lib/libt elnet -ltelnet -lcrypto -lcrypt -lmp /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_init': kerberos.o(.text+0x114): undefined reference to `krb_get_default_keyfile' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_send': kerberos.o(.text+0x1a6): undefined reference to `krb_get_phost' kerberos.o(.text+0x1e3): undefined reference to `krb_realmofhost' kerberos.o(.text+0x21a): undefined reference to `krb_mk_req' kerberos.o(.text+0x22b): undefined reference to `krb_err_txt' kerberos.o(.text+0x24d): undefined reference to `krb_get_cred' kerberos.o(.text+0x25e): undefined reference to `krb_err_txt' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_is': kerberos.o(.text+0x456): undefined reference to `krb_get_lrealm' kerberos.o(.text+0x53c): undefined reference to `krb_rd_req' kerberos.o(.text+0x56c): undefined reference to `krb_err_txt' kerberos.o(.text+0x5a2): undefined reference to `krb_kntoln' kerberos.o(.text+0x5c1): undefined reference to `kuserok' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_status': kerberos.o(.text+0x89e): undefined reference to `kuserok' *** Error code 1 Stop in /usr/src/secure/libexec/telnetd. > Date: Thu, 19 Jul 2001 12:39:43 -0500 (CDT) > From: Chris Byrnes > To: alexus > Cc: > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > On Thu, 19 Jul 2001, alexus wrote: > > > uh. ok:) > > > > this part is done.. should i recompile telnetd now somehow? if so then > > how?:) > > > > ----- Original Message ----- > > From: "Pierre-Luc Lespérance" > > To: > > Sent: Thursday, July 19, 2001 1:28 PM > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > alexus wrote: > > > > > > > > could you also include some sort of instruction how to apply it? > > > > > > > > thanks in advance > > > > > > > > ----- Original Message ----- > > > > From: "Ruslan Ermilov" > > > > To: "Przemyslaw Frasunek" > > > > Cc: > > > > Sent: Thursday, July 19, 2001 1:14 PM > > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > > > The patch is available at: > > > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > > > > Cheers, > > > > > -- > > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > > ru@sunbay.com Sunbay Software AG, > > > > > ru@FreeBSD.org FreeBSD committer, > > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > go to /usr/src/crypto/telnet/telnetd > > > and type > > > shell~# patch -p < /where/is/the/file.patch > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message