SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#745371

Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options

Overview

The telnetd program is a server for the telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. This vulnerability can crash the server, or be leveraged to gain root access.

I. Description

There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. The buffer overflow occurs in the server's processing of protocol options. A function of the telnet daemon, 'telrcv', processes the protocol options. During the processing of the options, the results of 'telrcv' are assumed to be smaller than an unchecked storage buffer. The size of this buffer is statically defined.

TESO claims that they have a working exploit for the BSDI, FreeBSD, and NetBSD versions affected(see http://www.team-teso.net/advisories/teso-advisory-011.tar.gz). Their exploit has been publicly posted on the BugTraq mailing list. We have verified the exploit works against at least one target system.

According to a TESO advisory, the following systems with telnetd running are vulnerable to the buffer overflow:

- BSDI 4.x default
- FreeBSD [2345].x default
- IRIX 6.5
- Linux netkit-telnetd version 0.14 and earlier
- NetBSD 1.x default
- OpenBSD 2.x
- Solaris 2.x sparc

TESO indicates that other vendor's telnet daemons have a high probability of being vulnerable as well. FreeBSD has confirmed the following releases are vulnerable:

"All releases of FreeBSD 3.x, 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date."

II. Impact

An intruder can execute arbitrary code as the user running telnetd, typically root.

III. Solution

Install a patch from your vendor when available. Please continue to check this document for information available from the CERT/CC.

Disallow access to the telnet service (typically port 23/tcp) using firewall or packet-filtering technology. Blocking access to the telnet service will limit your exposure to attacks from outside your network perimeter. However, blocking port 23/tcp at a network perimeter would still allow any users, remote or local, within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements prior to deciding what changes are appropriate.

Systems Affected

VendorStatusDate Updated
AppleVulnerable4-Oct-2001
BSDIVulnerable15-Aug-2001
CalderaVulnerable20-Aug-2001
CiscoVulnerable1-Feb-2002
Compaq Computer CorporationNot Vulnerable1-Aug-2001
ConectivaVulnerable27-Aug-2001
CrayVulnerable7-Sep-2001
Data GeneralUnknown15-Aug-2001
DebianVulnerable20-Aug-2001
FreeBSDVulnerable21-Aug-2001
FujitsuUnknown15-Aug-2001
Hewlett PackardVulnerable19-Oct-2001
IBMVulnerable10-Aug-2001
MicrosoftUnknown15-Aug-2001
MiT Kerberos Development TeamVulnerable9-Aug-2001
NECUnknown15-Aug-2001
NetBSDVulnerable15-Aug-2001
NokiaUnknown24-Jul-2001
OpenBSDVulnerable15-Aug-2001
RedHatVulnerable13-Aug-2001
SCOUnknown15-Aug-2001
Secure Computing CorporationNot Vulnerable31-Jul-2001
SequentUnknown15-Aug-2001
SGIVulnerable26-Jul-2001
SonyUnknown15-Aug-2001
SunVulnerable16-Apr-2002
SuSEVulnerable11-Oct-2001
UnisysUnknown15-Aug-2001

References


http://www.securityfocus.com/bid/3064
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc

Credit

The CERT Coordination Center thanks TESO, who published an advisory on this issue. We would also like to thank Jeff Polk <polk@BSDI.COM> for technical assistance.

This document was written by Ian A. Finlay & Jason Rafail.

Other Information

Date Public07/18/2001
Date First Published07/24/2001 05:42:17 PM
Date Last Updated04/16/2002
CERT AdvisoryCA-2001-21
CVE-ID(s)CAN-2001-0554
NVD-ID(s)CAN-2001-0554
US-CERT Technical Alerts 
Metric74.81
Document Revision42

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader