>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2001-21 Buffer Overflow in telnetd
>
> Original release date: July 24, 2001
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> Systems running versions of telnetd derived from BSD source.
>
> Overview
>
> The telnetd program is a server for the Telnet remote virtual terminal
> protocol. There is a remotely exploitable buffer overflow in Telnet
> daemons derived from BSD source code. This vulnerability can crash the
> server, or be leveraged to gain root access.
>
> I. Description
>
> There is a remotely exploitable buffer overflow in Telnet daemons
> derived from BSD source code. During the processing of the Telnet
> protocol options, the results of the "telrcv" function are stored in a
> fixed-size buffer. It is assumed that the results are smaller than the
> buffer and no bounds checking is performed.
>
> The vulnerability was discovered by TESO. An exploit for this
> vulnerability has been publicly released; internal testing at CERT/CC
> confirms this exploit works against at least one target system. For
> more information, see
>
> http://www.team-teso.net/advisories/teso-advisory-011.tar.gz
>
> II. Impact
>
> An intruder can execute arbitrary code with the privileges of the
> telnetd process, typically root.
>
> III. Solution
>
> Apply a patch
>
> Appendix A contains information from vendors who have provided
> information for this advisory. We will update the appendix as we
> receive more information. If you do not see your vendor's name, the
> CERT/CC did not hear from that vendor. Please contact your vendor
> directly.
>
> Restrict access to the Telnet service (typically port 23/tcp) using a
> firewall or packet-filtering technology.
>
> Until a patch can be applied, you may wish to block access to the
> Telnet service from outside your network perimeter. This will limit
> your exposure to attacks. However, blocking port 23/tcp at a network
> perimeter would still allow attackers within the perimeter of your
> network to exploit the vulnerability. It is important to understand
> your network's configuration and service requirements before deciding
> what changes are appropriate.
>
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for this
> advisory. When vendors report new information to the CERT/CC, we
> update this section and note the changes in our revision history. If a
> particular vendor is not listed below, we have not received their
> comments.
>
> BSDI
>
> All current versions of BSD/OS are vulnerable. Patches are available
> via our web site at http://www.bsdi.com/services/support/patches and
> via ftp at ftp://ftp.bsdi.com/bsdi/support/patches as soon as testing
> has been completed.
>
> Cisco Systems
>
> Cisco IOS does not appear to be vulnerable. Certain non-IOS products
> are supplied on other operating system platforms which themselves may
> be vulnerable as described elsewhere in this CERT Advisory. The Cisco
> PSIRT is continuing to investigate the vulnerability to be certain
> and, if necessary, will provide updates to the CERT and publish an
> advisory. Cisco Security Advisories are on-line at
> http://www.cisco.com/go/psirt/.
>
> FreeBSD
>
> All released versions of FreeBSD are vulnerable to this problem, which
> was fixed in FreeBSD 4.3-STABLE and FreeBSD 3.5.1-STABLE on July 23,
> 2001. An advisory has been released, along with a patch to correct the
> vulnerability and a binary upgrade package suitable for use on FreeBSD
> 4.3-RELEASE systems. For more information, see the advisory at the
> following location:
>
>
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.a
sc
>
> or use an FTP mirror site from the following URL:
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html
>
> Hewlett-Packard
>
> [This issue is] actively under investigation to determine
> vulnerability ramifications.
>
> Sun Microsystems
>
> Sun is currently investigating and have confirmed that one can make
> the in.telnetd daemon dump core but Sun has not yet determined if this
> issue is potentially exploitable on Solaris.
>
> Appendix B. - References
>
> 1. http://www.ietf.org/rfc/rfc0854.txt
> 2. http://www.team-teso.net/advisories/teso-advisory-011.tar.gz
> 3. http://www.kb.cert.org/vuls/id/745371
> 4.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.a
sc
> _________________________________________________________________
> _________________________________________________________________
>
> The CERT Coordination Center thanks TESO, who published an advisory on
> this issue. We would also like to thank Jeff Polk for technical
> assistance.
> _________________________________________________________________
>
> Authors: Jason A. Rafail, Ian A. Finlay, and Shawn V. Hernan.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2001-21.html
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: certcert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to majordomocert.org. Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2001 Carnegie Mellon University.
>
> Revision History
> July 24, 2001: Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 5.0i for non-commercial use
> Charset: noconv
>
> iQCVAwUBO14kUgYcfu8gsZJZAQHsZAP/V+d+lCvTxW2z4tCWoFTYri/cwuVtKJbg
> 7tP11jlPMQjYraTLpF2dEwFedikk31PRCBWsTHksfw7tV5ntsz58avZ+4K4NZeJj
> bEBTegtRHTRgwDQMv6AApz8tNVpAVhk4TBxKYoQENK0t1nwwO/Cluywy7mPWDXZY
> 6Jb+p+9Ai78=
> =Eu3D
> -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]