Bugtraq mailing list archives

Re: Bug

From: jhutz+ () cmu edu (Jeffrey Hutzelman)
Date: Fri, 8 Jan 1999 02:47:26 -0500

On Thu, 31 Dec 1998, Mr Spooty wrote:

This patch, along with the domestic version of the most recently
released telnet sources from Berkeley, are available via anonymous ftp
from net-dist.mit.edu in the directory /pub/telnet.


As of Sun Jan  3 20:42:04 GMT 1999 the /pub/telnet directory is
not world readable or searchable, and thus this patch cannot be
downloaded.

Does anyone have a copy of this patch, and perhaps more details on
what it does?


I have no problem seeing into that directory, despite the unusual
permissions.  The original post was little more than a copy of a
message sent by Ted Ts'o on 15-Feb-1995, nearly 4 years ago.  The
gist of the bug, IIRC, was that the method used in the telnet client
to generate the session encryption key (the one used to actually encrypt
the data stream, not the session key in the Kerberos tickets) would
result in a key with bad parity 255/256 of the time.  This, in turn,
could result in one of three situations, depending on how carefully
error checking was done at each end:

(a) Encryption negotiation fails, and the stream is unencrypted
(b) Encryption negotiation succeeds, and the stream is encrypted, but
    using a highly predictable DES key schedule instead of one derived
    from a randomly-chosen session key.  This was the most dangerous
    case, and I believe also the most common.
(c) Encryption negotiation succeeds, and the stream is encrypted,
    but one end uses the bogus key schedule as in (b), while the other
    uses a different schedule (IIRC, derived from the randomly-chosen
    key, after forcing the parity bits).  The result is that neither
    end can communicate with the other.

The patch also appears to fix a fatal bug in the challenge-response
calculation, and to make changes to parsing of authentication types, which
I'd have to go read the full telnet source to understand.

I've CC'd Ted Ts'o on this message, in case he wants to make additional
comments about the nature of the original problem, or the other changes
made by that patch.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ () cmu edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

Current thread:

Re: Breeze Network Server remote reboot and other bogosity. Mike Pelley (Dec 31)
- Bug Mr Spooty (Dec 31)
  - Re: Bug Curt Sampson (Jan 03)
    - Re: Bug Jeffrey Hutzelman (Jan 07)
  - Anonymous Qmail Denial of Service Wietse Venema (Jan 03)
    - Dosemu/S-Lang Overflow + sploit Trev (Jan 03)
    - Re: Dosemu/S-Lang Overflow + sploit Erik Mouw (Jan 12)
    - Re: Anonymous Qmail Denial of Service Trev (Jan 04)
    - Vulnerability database workshop Gene Spafford (Jan 04)
    - Re: Anonymous Qmail Denial of Service Nick Andrew (Jan 04)
    - Improved icmp time/mask querying program David G. Andersen (Jan 04)
    - Re: Anonymous Qmail Denial of Service Illuminatus Primus (Jan 04)
    - Re: Anonymous Qmail Denial of Service Nick Maclaren (Jan 04)
    - Sendmail 8.9.2 released Patrick Oonk (Jan 04)

(Thread continues...)