exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

S-95-06.APPENDIX.asc

S-95-06.APPENDIX.asc
Posted Jan 10, 2000

Subject Kerberos/Telnet Encryption Vulnerability Date 13-Mar-95

SHA-256 | b6d55a3f49f98b6637dc87fea6bad14e861e5c76b87a4b3668dc1335305ef045

S-95-06.APPENDIX.asc

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Teun Nijssen & Don Stikvoort Index: S-95-06.APPENDIX
Distribution : World Page : 1
Classification: External Version: 1
Subject : Kerberos/Telnet Encryption Vulnerability Date : 13-Mar-95
===============================================================================

Appendix A: Vendor Information

S-95-06.APPENDIX
Issue date: March 3, 1995

This file is a supplement to CERT-NL advisory S-95-06, "Kerberos/Telnet
Encryption Vulnerability" and will be updated as additional information
becomes available.

As of March 3, 1995, information from Digital Equipment Corporation and
Sequent Computer Systems has been added to the original text.

Below is information we have received from vendors who have patches available
or upcoming, along with names of vendors who have reported that their
products do not have the problem.

If you have an encrypting Telnet from a vendor who is not listed, please
contact that vendor for information regarding how to get a fixed version.

Vendor or Source Status
---------------- ------------
Berkeley SW Distribution (BSD) source-code patch available from
Berkeley; also in Appendix B of
this advisory
Data General Corporation not affected by the vulnerability
Digital Equipment Corporation not affected by the vulnerability
FTP Software, Inc. patch available
Harris NightHawk System not affected by the vulnerability
Hewlett-Packard Company not affected by the vulnerability
Nat'l. Center for Supercomputer
Applications (NCSA) upgrade available
Open Software Foundation not affected by the vulnerability
The Santa Cruz Operation, Inc.(SCO) not affected by the vulnerability
Sequent Computer Systems not affected by the vulnerability
Sun Microsystems, Inc. not affected by the vulnerability


PATCH INFORMATION
- -------------
Berkeley Software Distribution (BSD)

A source-code patch, along with the domestic version of the most
recently released Telnet sources from Berkeley, are available by
anonymous FTP from

net-dist.mit.edu:/pub/telnet/telnet.patch
MD5 65d56befe3d0f1699d38de5509552578

There is also a PGP ASCII signature file for the patch in

net-dist.mit.edu:/pub/telnet/telnet.patch.sig

This patch can also be found in CERT Advisory CA-95:03a, Appendix B.
(Note: Do not calculate a checksum for Appendix B alone. It will not
match the checksum of the FTP version of the patch because the tabs in
the FTP copy have been replaced with blank spaces in the CA-95:03a
Appendix B copy.)

- -------------
FTP Software, Inc.

Customers of FTP Software with an encrypting telnet (provided in the
PC/TCP or OnNet packages) should call the FTP technical support line
at 1-800-282-4387 and ask for the "tn encrypt patch".

- -------------
National Center for Supercomputer Applications (NCSA)

Users of NCSA Telnet should upgrade to the NCSA Telnet 2.6.1d7, AND
install the appropriate Kerberos plug-in which are available by
anonymous FTP from ftp.ncsa.uiuc.edu

Upgrade

/Mac/Telnet/Telnet2.6/prerelease/d7/Telnet2.6.1d7(68K).sit.hqx
MD5 b34b9fda59421b3b83f8df08a83f83b5

/Mac/Telnet/Telnet2.6/prerelease/d7/Telnet2.6.1d7(fat).sit.hqx
MD5 877add7c3d298111889fc3f2f272ce6f

Kerberos plug-ins

/Mac/Telnet/Telnet2.6/prerelease/AuthMan.plugin.1.0b1.hqx
MD5 df727eae184b22125f90ef1a31513fd4

/Mac/Telnet/Telnet2.6/prerelease/Kerberos_Telnet_plugin.sit.hqx
MD5 dbda691efe9038648f234397895c734d

Questions regarding NCSA Telnet should be directed to
mactel@ncsa.uiuc.edu



.............................................................................

Appendix B: Patch for Vulnerability in Telnet Encryption Option
Omission error corrected March 3, 1995
See S-95-06.APPENDIX for updated information.

Index: auth.c
===================================================================
RCS file: /mit/krb5/.cvsroot/src/appl/telnet/libtelnet/auth.c,v
retrieving revision 5.5
retrieving revision 5.7
diff -u -r5.5 -r5.7
- --- auth.c 1994/08/18 21:06:45 5.5
+++ auth.c 1994/11/08 04:39:02 5.7
@@ -244,7 +244,7 @@
{
register int x;

- - if (strcasecmp(type, AUTHTYPE_NAME(0))) {
+ if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
*maskp = -1;
return(1);
}
@@ -260,14 +260,14 @@

int
auth_enable(type)
- - int type;
+ char * type;
{
return(auth_onoff(type, 1));
}

int
auth_disable(type)
- - int type;
+ char * type;
{
return(auth_onoff(type, 0));
}
@@ -277,15 +277,20 @@
char *type;
int on;
{
- - int mask = -1;
+ int i, mask = -1;
Authenticator *ap;

if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
printf("auth %s 'type'\n", on ? "enable" : "disable");
printf("Where 'type' is one of:\n");
printf("\t%s\n", AUTHTYPE_NAME(0));
- - for (ap = authenticators; ap->type; ap++)
+ mask = 0;
+ for (ap = authenticators; ap->type; ap++) {
+ if ((mask & (i = typemask(ap->type))) != 0)
+ continue;
+ mask |= i;
printf("\t%s\n", AUTHTYPE_NAME(ap->type));
+ }
return(0);
}

@@ -293,7 +298,6 @@
printf("%s: invalid authentication type\n", type);
return(0);
}
- - mask = getauthmask(type, &mask);
if (on)
i_wont_support &= ~mask;
else
@@ -317,16 +321,22 @@
auth_status()
{
Authenticator *ap;
+ int i, mask;

if (i_wont_support == -1)
printf("Authentication disabled\n");
else
printf("Authentication enabled\n");

- - for (ap = authenticators; ap->type; ap++)
+ mask = 0;
+ for (ap = authenticators; ap->type; ap++) {
+ if ((mask & (i = typemask(ap->type))) != 0)
+ continue;
+ mask |= i;
printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
(i_wont_support & typemask(ap->type)) ?
"disabled" : "enabled");
+ }
return(1);
}

Index: kerberos.c
===================================================================
RCS file: /mit/krb5/.cvsroot/src/appl/telnet/libtelnet/kerberos.c,v
retrieving revision 5.5
retrieving revision 5.8
diff -u -r5.5 -r5.8
- --- kerberos.c 1994/08/18 21:07:02 5.5
+++ kerberos.c 1994/11/14 21:33:58 5.8
@@ -225,9 +225,10 @@
register int i;

des_key_sched(cred.session, sched);
- - des_set_random_generator_seed(cred.session);
- - des_new_random_key(challenge);
- - des_ecb_encrypt(challenge, session_key, sched, 1);
+ des_init_random_number_generator(cred.session);
+ des_new_random_key(session_key);
+ des_ecb_encrypt(session_key, session_key, sched, 0);
+ des_ecb_encrypt(session_key, challenge, sched, 0);
/*
* Increment the challenge by 1, and encrypt it for
* later comparison.
@@ -320,6 +321,11 @@
break;
}

+ /*
+ * Initialize the random number generator since it's
+ * used later on by the encryption routine.
+ */
+ des_init_random_number_generator(session_key);
des_key_sched(session_key, sched);
memcpy((void *)datablock, (void *)data, sizeof(Block));
/*
@@ -337,7 +343,7 @@
* increment by one, re-encrypt it and send it back.
*/
des_ecb_encrypt(datablock, challenge, sched, 0);
- - for (r = 7; r >= 0; r++) {
+ for (r = 7; r >= 0; r--) {
register int t;
t = (unsigned int)challenge[r] + 1;
challenge[r] = t; /* ignore overflow */

Index: commands.c
===================================================================
RCS file: /mit/krb5/.cvsroot/src/appl/telnet/telnet/commands.c,v
retrieving revision 5.14
retrieving revision 5.16
diff -u -r5.14 -r5.16
- --- commands.c 1994/08/18 21:07:37 5.14
+++ commands.c 1994/11/08 06:42:49 5.16
@@ -1919,8 +1919,8 @@
};

extern int
- - auth_enable P((int)),
- - auth_disable P((int)),
+ auth_enable P((char *)),
+ auth_disable P((char *)),
auth_status P((void));
static int
auth_help P((void));
@@ -1959,6 +1959,12 @@
{
struct authlist *c;

+ if (argc < 2) {
+ fprintf(stderr,
+ "Need an argument to 'auth' command. 'auth ?' for help.\n");
+ return 0;
+ }
+
c = (struct authlist *)
genget(argv[1], (char **) AuthList, sizeof(struct authlist));
if (c == 0) {
@@ -2015,7 +2021,7 @@
EncryptEnable, 1, 1, 2 },
{ "disable", "Disable encryption. ('encrypt enable ?' for more)",
EncryptDisable, 0, 1, 2 },
- - { "type", "Set encryptiong type. ('encrypt type ?' for more)",
+ { "type", "Set encryption type. ('encrypt type ?' for more)",
EncryptType, 0, 1, 1 },
{ "start", "Start encryption. ('encrypt start ?' for more)",
EncryptStart, 1, 0, 1 },
@@ -2058,6 +2064,12 @@
char *argv[];
{
struct encryptlist *c;
+
+ if (argc < 2) {
+ fprintf(stderr,
+ "Need an argument to 'encrypt' command. 'encrypt ?' for help.\n");
+ return 0;
+ }

c = (struct encryptlist *)
genget(argv[1], (char **) EncryptList, sizeof(struct encryptlis
t));

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands

NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IDzSYjBqwfc9jEQKK0wCg17OsMMOPRQEHqV13s+VuUqzRF2AAn19f
knPD4iduvoF2OBZKwE/iv50O
=uZRc
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close