netbsd-bugs: pkg/13610: exploitable telnetd in kth-krb4

Subject: pkg/13610: exploitable telnetd in kth-krb4
To: None <gnats-bugs@gnats.netbsd.org>
From: T. M. Pederson <salvage@plethora.net>
List: netbsd-bugs
Date: 08/01/2001 07:16:36

>Number:         13610
>Category:       pkg
>Synopsis:       kth-krb4 telnetd vulnerable to buffer overflow as per SA2001-12
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 01 05:13:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     T. M. Pederson
>Release:        NetBSD 1.5.1
>Organization:
Plethora . Net
>Environment:
	System: NetBSD halo.plethora.net 1.5.1
	NetBSD 1.5.1 (NEBULA) #3: Sat Jul 14 11:57:14 CDT 2001
	salvage@halo.plethora.net:/usr/src/sys/arch/sparc/compile/NEBULA sparc


>Description:
	The telnetd included in the kth-krb4 package appears to be vulnerable
	to the same overflow that is mentioned in SA2001-12.  An examination
	of the source suggests that it is as exploitable as the native telnetd.
>How-To-Repeat:
	Attempt any sample-exploit/exploit-test for SA2001-12 against a system
	running the kth-krb4 telnetd.
>Fix:
	Disable telnetd, or try this patch:

--- appl/telnet/telnetd/telnetd.c.orig	Sat Nov 13 00:31:04 1999
+++ appl/telnet/telnetd/telnetd.c	Wed Aug  1 07:08:55 2001
@@ -1381,7 +1381,14 @@
 	return;
     }
 #endif
+    /* Flush outstanding data if possible.  If not, and buffers are
+       full, break protocol and send no reply, rather than overflow
+       the buffer.
+     */
+    netflush();
+    if ( (BUFSIZ - (nfrontp - netobuf)) > 9) {
     output_data("\r\n[Yes]\r\n");
+    }
 }
 
 void
>Release-Note:
>Audit-Trail:
>Unformatted: