what you don't know can hurt you

FreeBSD Security Advisory - telnetd Code Execution

FreeBSD Security Advisory - telnetd Code Execution
Posted Dec 27, 2011
Site security.freebsd.org

FreeBSD Security Advisory - When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser).

tags | advisory, arbitrary, root, protocol
systems | freebsd
advisories | CVE-2011-4862
MD5 | 3f3e697e2ae19d73a5dbaaa61c9f7128

FreeBSD Security Advisory - telnetd Code Execution

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-11:08.telnetd Security Advisory
The FreeBSD Project

Topic: telnetd code execution vulnerability

Category: core
Module: contrib
Announced: 2011-12-23
Affects: All supported versions of FreeBSD.
Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE)
2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE)
2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE)
2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE)
CVE Name: CVE-2011-4862

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol. It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead. The FreeBSD telnet daemon can be enabled via the
/etc/inetd.conf configuration file and the inetd(8) daemon.

The TELNET protocol has a mechanism for encryption of the data stream
(but it is not cryptographically strong and should not be relied upon
in any security-critical applications).

II. Problem Description

When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.

III. Impact

An attacker who can connect to the telnetd daemon can execute arbitrary
code with the privileges of the daemon (which is usually the "root"
superuser).

IV. Workaround

No workaround is available, but systems not running the telnet daemon
are not vulnerable.

Note that the telnet daemon is usually run via inetd, and consequently
will not show up in a process listing unless a connection is currently
active; to determine if it is enabled, run

$ ps ax | grep telnetd | grep -v grep
$ grep telnetd /etc/inetd.conf | grep -vE '^#'

If any output is produced, your system may be vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2, and 8.1 systems.

a) Download the patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch
# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make && make install
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.24.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.24.1
RELENG_7_4
src/UPDATING 1.507.2.36.2.7
src/sys/conf/newvers.sh 1.72.2.18.2.10
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.38.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.40.2
RELENG_7_3
src/UPDATING 1.507.2.34.2.11
src/sys/conf/newvers.sh 1.72.2.16.2.13
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.36.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.38.2
RELENG_8
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.2.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.36.2
RELENG_8_2
src/UPDATING 1.632.2.19.2.7
src/sys/conf/newvers.sh 1.83.2.12.2.10
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.8.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.6.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.10
src/sys/conf/newvers.sh 1.83.2.10.2.11
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.6.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.4.2
RELENG_9
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.10.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.42.2
RELENG_9_0
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.12.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.42.1.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r228843
releng/7.4/ r228843
releng/7.3/ r228843
stable/8/ r228843
releng/8.2/ r228843
releng/8.1/ r228843
stable/9/ r228843
releng/9.0/ r228843
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37IYcwCfXn5aQTfQDe/AnS31JBg+BB1m
HJMAmgOE5pUKTlFqLw5UBouMNFfUmu2u
=dcyj
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close