telnetd vulnerabilities
Created 7/26/01
CVE 2001-0554
Impact
Malicious users exploiting these vulnerabilities are able to gain
unauthorized access or disrupt service on a target system.
Note: The red stoplight on this page indicates the
highest possible severity for this category of vulnerabilities.
The severity level in this case is indicated by the colored
dot beside the link to this tutorial on the previous page.
Background
The telnet
protocol allows for virtual terminals on remote hosts. The
telnetd program is the server for this
protocol. It usually listens on TCP port 23 for incoming
connections. Upon beginning a new session, the telnetd
program and the telnet client program negotiate a set
of protocol options for the session. This exchange
happens transparently and is not seen by the user.
The Problem
The protocol options sent by the client are processed
by telnetd in a function called telrcv.
The response to be sent by the server is placed in a fixed-length
output buffer, which is the same length as the input buffer.
Normally, this is not a problem, because the response to
most of the protocol options is the same length as the
input, and the input length is checked. However, the
AYT (Are You There)
option, which is simply a check that the server is alive,
causes a response which is four and a half times as long
as the input. Therefore, by sending AYT many
times, an attacker could create output which is much longer
than the input, thus creating a buffer overflow.
Systems running implementations of telnetd
derived from BSD source, which includes most Unix varieties,
are affected by this buffer overflow. The impact varies depending on the
platform. On some systems, it could be exploited to execute arbitrary commands
with root privileges. On other systems, the memory layout
makes exploitation very difficult. Even on systems without
a known exploit, this vulnerability should be considered serious,
because an exploit could be discovered at any time.
Resolution
See CERT Advisory 2001-21
for information on obtaining patches for your particular
operating system. See CIAC
Bulletin L-128 if you are running the Kerberos version of
telnetd. AIX users should see CIAC Bulletin
L-131. IRIX users may refer to
SGI Security Advisory 20010801-01-P.
HP-UX users should see CIAC Bulletin
M-006.
Linux users should refer to the appropriate vendor
advisory for patch information:
RedHat krb5 (Kerberos-telnetd),
RedHat telnetd,
Caldera Linux telnetd,
Debian telnetd,
Debian telnetd-ssl, or
Mandrake telnetd.
If a patch is not yet available, then
TCP port 23 should be blocked at the network perimeter until
a patch can be applied.
Where can I read more about this?
This vulnerability was reported in CIAC
Bulletin L-124 and CERT Advisory 2001-21.