Vulnerability Note VU#745371

Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options

Overview

The telnetd program is a server for the telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. This vulnerability can crash the server, or be leveraged to gain root access.

I. Description

There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. The buffer overflow occurs in the server's processing of protocol options. A function of the telnet daemon, 'telrcv', processes the protocol options. During the processing of the options, the results of 'telrcv' are assumed to be smaller than an unchecked storage buffer. The size of this buffer is statically defined.

TESO claims that they have a working exploit for the BSDI, FreeBSD, and NetBSD versions affected(see http://www.team-teso.net/advisories/teso-advisory-011.tar.gz). Their exploit has been publicly posted on the BugTraq mailing list. We have verified the exploit works against at least one target system.

According to a TESO advisory, the following systems with telnetd running are vulnerable to the buffer overflow:

- BSDI 4.x default
- FreeBSD [2345].x default
- IRIX 6.5
- Linux netkit-telnetd version 0.14 and earlier
- NetBSD 1.x default
- OpenBSD 2.x
- Solaris 2.x sparc

TESO indicates that other vendor's telnet daemons have a high probability of being vulnerable as well. FreeBSD has confirmed the following releases are vulnerable:

"All releases of FreeBSD 3.x, 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date."

II. Impact

An intruder can execute arbitrary code as the user running telnetd, typically root.

III. Solution

Install a patch from your vendor when available. Please continue to check this document for information available from the CERT/CC.

Disallow access to the telnet service (typically port 23/tcp) using firewall or packet-filtering technology. Blocking access to the telnet service will limit your exposure to attacks from outside your network perimeter. However, blocking port 23/tcp at a network perimeter would still allow any users, remote or local, within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements prior to deciding what changes are appropriate.

Systems Affected

Vendor	Status	Date Updated
Apple	Vulnerable	4-Oct-2001
BSDI	Vulnerable	15-Aug-2001
Caldera	Vulnerable	20-Aug-2001
Cisco	Vulnerable	1-Feb-2002
Compaq Computer Corporation	Not Vulnerable	1-Aug-2001
Conectiva	Vulnerable	27-Aug-2001
Cray	Vulnerable	7-Sep-2001
Data General	Unknown	15-Aug-2001
Debian	Vulnerable	20-Aug-2001
FreeBSD	Vulnerable	21-Aug-2001
Fujitsu	Unknown	15-Aug-2001
Hewlett Packard	Vulnerable	19-Oct-2001
IBM	Vulnerable	10-Aug-2001
Microsoft	Unknown	15-Aug-2001
MiT Kerberos Development Team	Vulnerable	9-Aug-2001
NEC	Unknown	15-Aug-2001
NetBSD	Vulnerable	15-Aug-2001
Nokia	Unknown	24-Jul-2001
OpenBSD	Vulnerable	15-Aug-2001
RedHat	Vulnerable	13-Aug-2001
SCO	Unknown	15-Aug-2001
Secure Computing Corporation	Not Vulnerable	31-Jul-2001
Sequent	Unknown	15-Aug-2001
SGI	Vulnerable	26-Jul-2001
Sony	Unknown	15-Aug-2001
Sun	Vulnerable	16-Apr-2002
SuSE	Vulnerable	11-Oct-2001
Unisys	Unknown	15-Aug-2001

References

http://www.securityfocus.com/bid/3064
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc

Credit

The CERT Coordination Center thanks TESO, who published an advisory on this issue. We would also like to thank Jeff Polk <polk@BSDI.COM> for technical assistance.

This document was written by Ian A. Finlay & Jason Rafail.

Other Information

Date Public	07/18/2001
Date First Published	07/24/2001 05:42:17 PM
Date Last Updated	04/16/2002
CERT Advisory	CA-2001-21
CVE Name	CAN-2001-0554
Metric	74.81
Document Revision	42

If you have feedback, comments, or additional information about this vulnerability, please send us email.