Re: Telnet exploit & 3.4-RELEASE

From: Paul Hart (hart@orem.verio.net)
Date: 07/27/01


Date: Fri, 27 Jul 2001 15:18:11 -0600 (MDT)
From: Paul Hart <hart@orem.verio.net>
To: Jim Sander <jim@federation.addy.com>

On Thu, 26 Jul 2001, Jim Sander wrote:

> Telnet definitely functions, and the exploit doesn't seem to succeed-
> but then it didn't work before either, so who knows for sure.

The exploit posted to Bugtraq DOES work on FreeBSD 3.4-RELEASE but only if
you selected to install an encrypting telnetd when you set the machine up.

At installation time there is a prompt about whether you want to install
DES software. If you select "Yes" and install the "krb" package you'll
get a telnetd that understands using encryption, but unfortunately for you
it's the exploitable one. The "regular" telnetd still has the overflow
(which may or may not be exploitable) but the posted exploit by TESO
targets encrypting versions that have the encrypt_output function pointer
in the BSS after netobuf. The function pointer gets overwritten when
netobuf overflows and that is the basis of the exploit.

The regular telnetd (if that's the one you installed) doesn't have any
such function pointer to exploit and thus isn't vulnerable to this
particular exploit by TESO. Like I said though, the overflow is still
present and it may or may not be exploitable by other means.

Paul Hart

--
Paul Robert Hart
hart@orem.verio.net
Jul ner lbh ernqvat guvf?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • FreeBSD Security Advisory FreeBSD-SA-01:49.telnetd
    ... telnetd is the server for the telnet remote virtual terminal protocol. ... The telnetd service is enabled by default on all FreeBSD installations ... Download the patch and the detached PGP signature from the following ... # make depend && make all install ...
    (FreeBSD-Security)
  • Re: Configuring services for unusual ports
    ... (because I was using kr5-telnet rather than telnetd, ... > standard ports, but all servers respond on ssh externally from the same IP ... RH9 from linuxiso.org and posted a question on how best to install from ... which seems inconceivable since these are ISOs of the install CDs ...
    (comp.os.linux.networking)
  • Re: RedHat 7.2
    ... > stupid services, including ftpd, rshd, and telnetd instead of leaving them ... > people who really need it install the others. ... It's been a while since ftpd, telnet, and r-cmds ... But needing sgi-fam which needs rpc annoys me, ...
    (comp.os.linux.security)
  • Re: Configuring Telnetd On Suse Linux
    ... > I'm relatively new to Linux and, as a learning environment, have done an ... > install of Suse 8.0 on a machine. ... Do not use telnetd. ...
    (comp.os.linux.security)
  • Re: Configuring Telnetd On Suse Linux
    ... > I'm relatively new to Linux and, as a learning environment, have done an ... > install of Suse 8.0 on a machine. ... Do not use telnetd. ...
    (comp.security.unix)