Re: Telnetd AYT overflow scanner

From: David Maxwell (david@fundy.net)
Date: 07/26/01


Date: Thu, 26 Jul 2001 15:20:39 -0300
From: David Maxwell <david@fundy.net>
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
Subject: Re: Telnetd AYT overflow scanner
Message-ID: <20010726152039.A9313@fundy.net>

On Wed, Jul 25, 2001 at 04:18:00PM -0400, der Mouse wrote:
> Quite aside from the _horrible_ misuse of sprintf, this writes a NUL
> one byte past the end of sendbuffer[].
>
> I sure wouldn't trust anything about my system to code from whoever
> wrote this. Just on a quick once-over, I see seven other things I
> would say are wrong with it.

In particular, it can't be trusted to properly assess vulnerability.

In tests against a known vulnerable NetBSD 1.4 telnetd, this tool
reports 'not vulnerable'.

Deciding vulnerability based on only the output (or lack of) from the
telnetd is insufficient. In the NetBSD 1.4 case, the overflow causes
parts of the process's memory space (such as /etc/nsswitch.conf, and
/etc/hosts) to end up in the output buffer and be sent to the client.

I would advise that people not believe their systems are safe based on
the output from the posted code.

For manual inspection, if you have perl and netcat available, try:

perl -e 'for ($i=0;$i<512;$i++) { print "\377\366" }' | nc testhost telnet

While it's possible to have output that looks 'safe' from a run of this
line - certain broken servers will stand out. If you see data in the
output which shouldn't be there, the server is vulnerable.

Note that the exploit posted earlier won't work against even slightly
different systems (like NetBSD 1.3 or NetBSD 1.4), though the perl line
above will show they clearly overflow, and an exploit could be
constructed.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
Net Musing #5: Redundancy in a network doesn't mean two of everything and
half the staff to run it.
					      - Tomas T. Peiser, CET      



Relevant Pages