OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Carlos E Gorges (carlostechlinux.com.br)
Date: Wed Apr 18 2001 - 09:43:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi all,

    I found a putf() function bug in telnetd ( netkit-telnet-0.17 ).

    test :
    perl -e "print 'a'x30000" > /etc/issue.net
    telnet 0

    Any malicious user w/ write permission in /etc/issue.net could get
    administrator privileges on a machine running telnetd.

    The patch :

    diff -ur netkit-telnet-0.17/telnetd/ext.h
    netkit-telnet-0.17-carlos/telnetd/ext.h
    --- netkit-telnet-0.17/telnetd/ext.h Sun Dec 12 12:59:44 1999
    +++ netkit-telnet-0.17-carlos/telnetd/ext.h Wed Apr 18 10:36:08 2001
    -124,7 +124,7
     
     void ptyflush(void);
     void putchr(int);
    -void putf(const char *, char *);
    +void putf(const char *, char *, int);
     void recv_ayt(void);
     void send_do(int, int);
     void send_dont(int, int);
    diff -ur netkit-telnet-0.17/telnetd/telnetd.c
    netkit-telnet-0.17-carlos/telnetd/telnetd.c
    --- netkit-telnet-0.17/telnetd/telnetd.c Wed Apr 12 18:36:12 2000
    +++ netkit-telnet-0.17-carlos/telnetd/telnetd.c Wed Apr 18 10:35:52 2001
    -862,7 +862,7
     
         edithost(HE, host_name);
         if (hostinfo && *IM)
    - putf(IM, ptyibuf2);
    + putf(IM, ptyibuf2, BUFSIZ);
         
         if (pcc) strncat(ptyibuf2, ptyip, pcc+1);
         ptyip = ptyibuf2;
    diff -ur netkit-telnet-0.17/telnetd/utility.c
    netkit-telnet-0.17-carlos/telnetd/utility.c
    --- netkit-telnet-0.17/telnetd/utility.c Sun Dec 12 12:59:45 1999
    +++ netkit-telnet-0.17-carlos/telnetd/utility.c Wed Apr 18 10:42:17 2001
    -450,11 +450,12
     
     static char fmtstr[] = { "%H:%M on %A, %d %B %Y" };
     
    -void putf(const char *cp, char *where)
    +void putf(const char *cp, char *where, int buffsiz)
     {
             char *slash;
             time_t t;
             char db[100];
    + int buffcount=0;
     
             if (where)
             putlocation = where;
    -509,7 +510,8
                                     if ((fp = fopen(ISSUE_FILE, "r")) == NULL)
                                             break;
                                     p = '\n';
    - while ((c = fgetc(fp)) != EOF) {
    + while ((c = fgetc(fp)) != EOF && buffcount < buffsiz ) {
    + buffcount++;
                                             if (p == '\n' && c == '#') {
                                                     do {
                                                             c = fgetc(fp);
    -521,7 +523,7
                                                     if (c == EOF) break;
                                                     buff[1] = c;
                                                     buff[2] = '\0';
    - putf(buff, NULL);
    + putf(buff, NULL,(int) NULL);
                                             } else {
                                                     if (c == '\n') putchr('\r');
                                                     putchr(c);

    cya; 

    -- 
	 _________________________
	 Carlos E Gorges          
	 (carlostechlinux.com.br)
	 Tech informática LTDA
	 Brazil                   
	 _________________________