xtell vulnerabilities

Created 3/6/02
CAN 2002-0332
CAN 2002-0333

Impact

A remote attacker could execute arbitrary commands on the server.

Background

xtell is a simple application which network users can use to exchange messages with one another. The xtell daemon, xtelld, listens for incoming messages from xtell clients. An xtell client reads the message and the recipient's address from the command line, and sends this information along with the sender's address and recipient's terminal device name (TTY) to the daemon.

The Problem

There are several vulnerabilities affecting xtelld versions prior to 2.7.

Multiple buffer overflows

CAN 2002-0332
Buffer overflows in the code which processes reverse host name resolution, data returned by the auth service, and output data could allow a remote attacker to execute arbitrary commands. Access to one's own DNS server or a fake ident server would be required for an attacker to exploit the first two buffer overflows, and helpful but not necessarily required for the last one.

Unchecked TTY field

xtelld does not verify that the TTY provided by the client is the valid terminal device for the user. By manipulating the TTY field, an attacker could write to arbitrary devices in the /dev directory.

CAN 2002-0333
Furthermore, using a directory traversal (../) attack, the attacker could create files outside the /dev directory, but since the TTY field is limited to eight characters the possibilities for remote exploitation are limited.

User status information gathering

xtelld returns different response codes depending upon whether or not the intended recipient is currently logged in. This condition reveals information that would normally be unavailable if the finger and rusers services were shut off. This information could be useful to an attacker in planning an attack.

Resolutions

Upgrade to xtell 2.7 or higher.

Where can I read more about this?

For more information, see the posting to Bugtraq.