Subject: telnetd exploit?
To: None <tech-security@netbsd.org>
From: Matt London <matt@knm.yi.org>
List: tech-security
Date: 07/19/2001 19:35:26
Hi,
I came across this at http://www.team-teso.net/ today, and I don't see
any posts about it in the archive so far...
---[cut]---
Within most of the current telnet daemons in use today there exist a buffer
overflow in the telnet option handling. Under certain circumstances it may
be possible to exploit it to gain root priviledges remotely.
Systems Affected
===================
System | vulnerable | exploitable *
----------------------------------------+--------------+------------------
BSDI 4.x default | yes | yes
FreeBSD [2345].x default | yes | yes
IRIX 6.5 | yes | no
Linux netkit-telnetd < 0.14 | yes | ?
Linux netkit-telnetd >= 0.14 | no |
NetBSD 1.x default | yes | yes
OpenBSD 2.x | yes | ?
OpenBSD current | no |
Solaris 2.x sparc | yes | ?
<almost any other vendor's telnetd> | yes | ?
----------------------------------------+--------------+------------------
Impact
===================
Through sending a specially formed option string to the remote telnet
daemon a remote attacker might be able to overwrite sensitive information
on the static memory pages. If done properly this may result in arbitrary
code getting executed on the remote machine under the priviledges the
telnet daemon runs on, usually root.
---[cut]---
You can read the rest at the url above.
Just thought I'd mention it as noone else seems to have :&)
-- Matt
---
E-mail:
matt@pkl.net, matt@knm.yi.org, matt@printf.net
matt@m-techdiagnostics.ltd.uk, matthew.london@stud.umist.ac.uk
mattl@vcd.student.utwente.nl, mlondon@mail.talk-101.com
Web Page:
http://knm.yi.org/
http://pkl.net/~matt/
PGP Key fingerprint = 00BF 19FE D5F5 8EAD 2FD5 D102 260E 8BA7 EEE4 8D7F
PGP Key http://knm.yi.org/matt-pgp.html