[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] CERT Advisory CA-2001-21 Buffer Overflow in telnetd

Subject: [cobalt-users] CERT Advisory CA-2001-21 Buffer Overflow in telnetd
From: "Jeremy Kettelhohn" <jkettelhohn@xxxxxxxxxxxxxx>
Date: Wed Jul 25 05:51:51 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Anyone know if qube 2 is vulnerable, or any other cobalt since sun is
mentioned as a vendor that may be exploitable?


-------------------------------------------------------------------------
Systems Affected

   Systems running versions of telnetd derived from BSD source.

Overview

   The telnetd program is a server for the Telnet remote virtual terminal
   protocol. There is a remotely exploitable buffer overflow in Telnet
   daemons derived from BSD source code. This vulnerability can crash the
   server, or be leveraged to gain root access.

I. Description

   There is a remotely exploitable buffer overflow in Telnet daemons
   derived from BSD source code. During the processing of the Telnet
   protocol options, the results of the "telrcv" function are stored in a
   fixed-size buffer. It is assumed that the results are smaller than the
   buffer and no bounds checking is performed.

   The vulnerability was discovered by TESO. An exploit for this
   vulnerability has been publicly released; internal testing at CERT/CC
   confirms this exploit works against at least one target system. For
   more information, see

          http://www.team-teso.net/advisories/teso-advisory-011.tar.gz

II. Impact

   An intruder can execute arbitrary code with the privileges of the
   telnetd process, typically root.

III. Solution

Apply a patch

   Appendix A contains information from vendors who have provided
   information for this advisory. We will update the appendix as we
   receive more information. If you do not see your vendor's name, the
   CERT/CC did not hear from that vendor. Please contact your vendor
   directly.

Restrict access to the Telnet service (typically port 23/tcp) using a
firewall or packet-filtering technology.

   Until a patch can be applied, you may wish to block access to the
   Telnet service from outside your network perimeter. This will limit
   your exposure to attacks. However, blocking port 23/tcp at a network
   perimeter would still allow attackers within the perimeter of your
   network to exploit the vulnerability. It is important to understand
   your network's configuration and service requirements before deciding
   what changes are appropriate.

Sun Microsystems

   Sun is currently investigating and have confirmed that one can make
   the in.telnetd daemon dump core but Sun has not yet determined if this
   issue is potentially exploitable on Solaris.

Prev by Date: Re: [cobalt-users] Webmail Programs?
Next by Date: RE: [cobalt-users] procmail and other GPL source...
Previous by thread: RE: [cobalt-users] OS Restore CDs
Next by thread: [cobalt-users] RaQ4R - Telnet v Secure Shell

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index