Vulnerability Note VU#745371

Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options

Original Release date: 24 Jul 2001 | Last revised: 16 Apr 2002

Overview

The telnetd program is a server for the telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. This vulnerability can crash the server, or be leveraged to gain root access.

Description

There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. The buffer overflow occurs in the server's processing of protocol options. A function of the telnet daemon, 'telrcv', processes the protocol options. During the processing of the options, the results of 'telrcv' are assumed to be smaller than an unchecked storage buffer. The size of this buffer is statically defined.

TESO claims that they have a working exploit for the BSDI, FreeBSD, and NetBSD versions affected(see http://www.team-teso.net/advisories/teso-advisory-011.tar.gz). Their exploit has been publicly posted on the BugTraq mailing list. We have verified the exploit works against at least one target system.

According to a TESO advisory, the following systems with telnetd running are vulnerable to the buffer overflow:

- BSDI 4.x default
- FreeBSD [2345].x default
- IRIX 6.5
- Linux netkit-telnetd version 0.14 and earlier
- NetBSD 1.x default
- OpenBSD 2.x
- Solaris 2.x sparc

TESO indicates that other vendor's telnet daemons have a high probability of being vulnerable as well. FreeBSD has confirmed the following releases are vulnerable:

"All releases of FreeBSD 3.x, 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date."

Impact

An intruder can execute arbitrary code as the user running telnetd, typically root.

Solution

Install a patch from your vendor when available. Please continue to check this document for information available from the CERT/CC.

Disallow access to the telnet service (typically port 23/tcp) using firewall or packet-filtering technology. Blocking access to the telnet service will limit your exposure to attacks from outside your network perimeter. However, blocking port 23/tcp at a network perimeter would still allow any users, remote or local, within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements prior to deciding what changes are appropriate.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AppleAffected24 Jul 200104 Oct 2001
BSDIAffected23 Jul 200115 Aug 2001
CalderaAffected24 Jul 200120 Aug 2001
CiscoAffected24 Jul 200101 Feb 2002
ConectivaAffected-27 Aug 2001
CrayAffected-07 Sep 2001
DebianAffected24 Jul 200120 Aug 2001
FreeBSDAffected24 Jul 200121 Aug 2001
Hewlett PackardAffected24 Jul 200119 Oct 2001
IBMAffected24 Jul 200110 Aug 2001
MiT Kerberos Development TeamAffected-09 Aug 2001
NetBSDAffected24 Jul 200115 Aug 2001
OpenBSDAffected24 Jul 200115 Aug 2001
RedHatAffected24 Jul 200113 Aug 2001
SGIAffected24 Jul 200126 Jul 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks TESO, who published an advisory on this issue. We would also like to thank Jeff Polk <polk@BSDI.COM> for technical assistance.

This document was written by Ian A. Finlay & Jason Rafail.

Other Information

  • CVE IDs: CAN-2001-0554
  • CERT Advisory: CA-2001-21
  • Date Public: 18 Jul 2001
  • Date First Published: 24 Jul 2001
  • Date Last Updated: 16 Apr 2002
  • Severity Metric: 74.81
  • Document Revision: 42

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.