Bugtraq mailing list archives
Re: multiple vendor telnet daemon vulnerability
From: Kris Kennaway <kris () obsecurity org>
Date: Tue, 24 Jul 2001 16:11:36 -0700
On Tue, Jul 24, 2001 at 02:51:24PM -0700, Kris Kennaway wrote:
Solaris 2.x sparc | yes | ? <almost any other vendor's telnetd> | yes | ? ----------------------------------------+--------------+------------------Is there a test available that would allow verification of vulnerability on various platforms? I'm thinking of network devices like routers, do their telnet servers tend to be based on the vulnerable code base?Chances are, yes. The vulnerability goes back at least to 4.2BSD.
I was just talking to David Borman from BSDi about this. Apparently the vulnerability discovered by TESO was introduced around the 4.3BSD timeframe, since it requires passing exploit code in via environment variables (the relevant telnet option to do this wasn't around before then). The 4.2BSD code plays the same dangerous games with sprintf() and manually incrementing the nfrontp pointer, but in the absence of a way to inject your shellcode all you can probably do it crash the telnetd. Kris
Attachment:
_bin
Description:
Current thread:
- multiple vendor telnet daemon vulnerability Sebastian (Jul 18)
- Re: multiple vendor telnet daemon vulnerability Steffen Kluge (Jul 24)
- Re: multiple vendor telnet daemon vulnerability Kris Kennaway (Jul 24)
- Re: multiple vendor telnet daemon vulnerability Kris Kennaway (Jul 24)
- Re: multiple vendor telnet daemon vulnerability Chad Loder (Jul 25)
- Re: multiple vendor telnet daemon vulnerability Kris Kennaway (Jul 24)
- Re: multiple vendor telnet daemon vulnerability Steffen Kluge (Jul 24)
- <Possible follow-ups>
- RE: multiple vendor telnet daemon vulnerability Paul Rogers (Jul 25)