Bugtraq mailing list archives
Re: Telnetd AYT overflow scanner
From: David Maxwell <david () fundy net>
Date: Thu, 26 Jul 2001 15:20:39 -0300
On Wed, Jul 25, 2001 at 04:18:00PM -0400, der Mouse wrote:
Quite aside from the _horrible_ misuse of sprintf, this writes a NUL one byte past the end of sendbuffer[]. I sure wouldn't trust anything about my system to code from whoever wrote this. Just on a quick once-over, I see seven other things I would say are wrong with it.
In particular, it can't be trusted to properly assess vulnerability. In tests against a known vulnerable NetBSD 1.4 telnetd, this tool reports 'not vulnerable'. Deciding vulnerability based on only the output (or lack of) from the telnetd is insufficient. In the NetBSD 1.4 case, the overflow causes parts of the process's memory space (such as /etc/nsswitch.conf, and /etc/hosts) to end up in the output buffer and be sent to the client. I would advise that people not believe their systems are safe based on the output from the posted code. For manual inspection, if you have perl and netcat available, try: perl -e 'for ($i=0;$i<512;$i++) { print "\377\366" }' | nc testhost telnet While it's possible to have output that looks 'safe' from a run of this line - certain broken servers will stand out. If you see data in the output which shouldn't be there, the server is vulnerable. Note that the exploit posted earlier won't work against even slightly different systems (like NetBSD 1.3 or NetBSD 1.4), though the perl line above will show they clearly overflow, and an exploit could be constructed. -- David Maxwell, david () vex net|david () maxwell net --> Net Musing #5: Redundancy in a network doesn't mean two of everything and half the staff to run it. - Tomas T. Peiser, CET
Current thread:
- Telnetd AYT overflow scanner info (Jul 25)
- Re: Telnetd AYT overflow scanner Martin Elster (Jul 25)
- Re: Telnetd AYT overflow scanner Riley Hassell (Jul 25)
- <Possible follow-ups>
- Re: Telnetd AYT overflow scanner der Mouse (Jul 25)
- Re: Telnetd AYT overflow scanner David Maxwell (Jul 26)
- Re: Telnetd AYT overflow scanner aleph1 (Jul 26)
- Re: Telnetd AYT overflow scanner John Marquart (Jul 26)