Re: multiple vendor telnet daemon vulnerability

[Kris Kennaway <kris () obsecurity org>]

On Tue, Jul 24, 2001 at 04:55:49PM +1000, Steffen Kluge wrote:

> >     OpenBSD current                         |       no     |
                                                       ^^^^
I'm not so sure about this one.  OpenBSD-current (post 2.9) contains
the heimdal telnetd code, which incompletely fixes the handling of the
output buffers (under certain conditions it looks like the buffers can
still be overflowed).  The initial (unofficial) patch posted to the
FreeBSD-security list last week was also a port of the heimdal telnetd
code with the same (flawed) semantics for output_data() and
netflush(), and I had a report yesterday of someone being compromised
with that preliminary patch in place.  The official patch published
with our advisory is believed to fix things properly.

OpenBSD 2.9's telnetd is also full of code like this:

        if (TELOPT_OK(option))
                sprintf(nfrontp, "%s %s\r\n", fmt, TELOPT(option));
        else if (TELCMD_OK(option))
                sprintf(nfrontp, "%s %s\r\n", fmt, TELCMD(option));
        else
                sprintf(nfrontp, "%s %d\r\n", fmt, option);
        nfrontp += strlen(nfrontp);
        return;

which is the signature of the problem reported by TESO.  I wouldn't be
at all surprised if there were further problems there.  For the sake
of the OpenBSD users this needs to be investigated further.

> >     Solaris 2.x sparc                       |      yes     |        ?
> >     <almost any other vendor's telnetd>     |      yes     |        ?
> >     ----------------------------------------+--------------+------------------
>
> Is there a test available that would allow verification of
> vulnerability on various platforms? I'm thinking of network
> devices like routers, do their telnet servers tend to be based
> on the vulnerable code base?

Chances are, yes.  The vulnerability goes back at least to 4.2BSD.

Kris

Attachment: _bin
Description: