From: Kristian Hermansen (khermanscisco.com)
Date: Tue Jun 07 2005 - 17:09:41 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I. BACKGROUND

Telnet is a standard networking tool available on almost every computing
platform that participates on a network.

II. DESCRIPTION

The second argument to the telnet executable, the port number, does not
need to conform to the standard available port conventions (ie.
0-65535). It is actually possible to specify a port number very far out
of the effective range, and still be able to connect to the "wrapped"
port value. On Windows, it is even possible to specify negative port
values. Following is a short demonstration:

C:\>telnet localhost 65535999999999934485
220 localhost Microsoft FTP Service (Version 5.0).

C:\>telnet localhost -6553403371
220 localhost Microsoft FTP Service (Version 5.0).

You can create your own "wrapping" values by picking large numbers that
have a remainder of your specified port when modded with 65536. For
instance, in the example above:

65535999999999934485 % 65536 = 21

III. ANALYSIS

This is not a vulnerability at all, but could prove quite useful when
trying to obfuscate an admin's log of executed shell commands. For
instance, an unknowing admin looking at the arguments to telnet in this
example would be very confused. Other than this, there is no security
risk and the result is just interesting.

IV. DETECTION

I have confirmed that this will work on Microsoft Windows 2000 Server
SP4, Microsoft Windows Advanced Server SP0, Red Hat Linux Enterprise
Server 3.0, SuSE Professional 9.0, and Sun Solaris 8.

V. CREDIT

Discovered by Kristian Hermansen.
--
Kristian Hermansen <khermanscisco.com>
Cisco Systems, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]