Re: Telnet exploit & 3.4-RELEASE

From: Paul Hart (hart@orem.verio.net)
Date: 07/27/01


Date: Fri, 27 Jul 2001 15:18:11 -0600 (MDT)
From: Paul Hart <hart@orem.verio.net>
To: Jim Sander <jim@federation.addy.com>

On Thu, 26 Jul 2001, Jim Sander wrote:

> Telnet definitely functions, and the exploit doesn't seem to succeed-
> but then it didn't work before either, so who knows for sure.

The exploit posted to Bugtraq DOES work on FreeBSD 3.4-RELEASE but only if
you selected to install an encrypting telnetd when you set the machine up.

At installation time there is a prompt about whether you want to install
DES software. If you select "Yes" and install the "krb" package you'll
get a telnetd that understands using encryption, but unfortunately for you
it's the exploitable one. The "regular" telnetd still has the overflow
(which may or may not be exploitable) but the posted exploit by TESO
targets encrypting versions that have the encrypt_output function pointer
in the BSS after netobuf. The function pointer gets overwritten when
netobuf overflows and that is the basis of the exploit.

The regular telnetd (if that's the one you installed) doesn't have any
such function pointer to exploit and thus isn't vulnerable to this
particular exploit by TESO. Like I said though, the overflow is still
present and it may or may not be exploitable by other means.

Paul Hart

--
Paul Robert Hart
hart@orem.verio.net
Jul ner lbh ernqvat guvf?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message