Subject: NetBSD Security Advisory 2001-012: telnetd(8) options overflow
To: None <tech-security@netbsd.org, current-users@netbsd.org,>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: current-users
Date: 07/25/2001 23:52:10
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2001-012
=================================
Topic: telnetd(8) options overflow
Version: All NetBSD releases prior to 2001-07-19.
Severity: remote root from any host which can connect to telnetd(8)
Fixed: NetBSD-current: 2001-07-19.
NetBSD-1.5 branch: Supplied patch (see below).
NetBSD-1.4 branch: Supplied patch (see below).
A patch is provided for all releases that will fix
the problem. Pullups to other branches are
anticipated, see 'More Information' below for how to
track this progress.
Abstract
========
A buffer overflow existed in the telnetd(8) program. Any client
connecting could cause the telnetd instance to SEGV, and possibly
to execute arbitrary code as root.
Technical Details
=================
Technical details of the vulnerabilities are publicised in
CERT Advisory CA-2001-21:
http://www.cert.org/advisories/CA-2001-21.html
A strong indication of attempted exploitation of this bug may be found
by examining log entries sent to the syslogd(8) system logger facility
DAEMON (which is stored in /var/log/messages by default) of the form:
telnetd \[[0-9]*\]: ttloop: peer died: No such file or directory
Solutions and Workarounds
=========================
telnetd(8) has been shipped disabled since June 2000, including the
NetBSD 1.5 and 1.5.1 releases, and -current after that date.
If you are running an earlier release, or have re-enabled telnetd(8)
in 1.5.x, disable it now by commenting out the line beginning with
telnetd(8) in /etc/inetd.conf, and kill -HUP your inetd process.
As a reminder, unless you are running on a private network, telnet
exposes your passwords to the Internet. Even on a private network,
passwords may be exposed to inappropriate individuals. Use a strong,
secure protocol, such as Secure Shell instead.
The following instructions describe how to upgrade your telnetd(8)
by updating your source tree and rebuilding and installing a new
version of telnetd(8).
* NetBSD-current:
Systems running NetBSD-current dated from before 2001-07-19
should be upgraded to NetBSD-current dated 2001-07-20 or later.
The following directory needs to be updated from the
netbsd-current CVS branch (aka HEAD):
src/libexec/telnetd
To update from CVS, re-build, and re-install telnetd(8):
# cd src/libexec/telnetd
# cvs update -d -P
# make cleandir dependall install
Alternatively, apply the following patch (with potential offset
differences) and rebuild & re-install telnetd(8):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-012-telnetd.patch
To patch, re-build and re-install telnetd(8):
# cd src/libexec/telnetd
# patch < SA2001-012-telnetd.patch
# make cleandir dependall install
* NetBSD 1.3, 1.3.x, 1.4, 1.4.x, 1.5, 1.5.1
Systems running NetBSD releases up to and including 1.5.1 should
apply the following patch (with potential offset differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-012-telnetd.patch
To patch, re-build and re-install telnetd(8):
# cd src/libexec/telnetd
# patch < SA2001-012-telnetd.patch
# make cleandir dependall install
The anonymous CVS branchs netbsd-1-4 and netbsd-1-5 should be
updated with a fix in the near future.
Thanks To
=========
TESO for the advisory.
Jason Thorpe <thorpej@netbsd.org> for analysis.
Krister Walfridsson <kristerw@netbsd.org> for testing.
Jun-ichiro Hagino <itojun@netbsd.org> for a fix in NetBSD-current
from the Heimdal telnetd sources, by way of OpenBSD.
David Maxwell <david@netbsd.org> for the fix for previous releases.
Revision History
================
2001-07-25 Initial revision.
2001-07-25 Info on how to detect exploit attempts.
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2001-012.txt,v 1.12 2001/07/25 13:09:47 lukem Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBO17FAz5Ru2/4N2IFAQFDSwP/U8mVWa8bxZDj9/1jpyfJ4DkYTjTUBqty
TVfqAlEfCJuFe7ftdNds9915yOEYWiqP6xYg3gZKn8c+4UqSQttXpZPW3QIuxg/k
hAiZ3IToWdAKq20YdqbA/BAV3wqHAd0cB8Hu/p1kfuq2rsF5kY0PvTb8z9njGsMJ
Rh7fC+Xyh/c=
=q48s
-----END PGP SIGNATURE-----