exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jul 29, 2001
Authored by teso, scut | Site team-teso.net

TESO Security Advisory #11 - Multiple vendor Telnet Daemon vulnerability. Most current telnet daemons in use today contain a buffer overflow in the telnet option handling. Under certain circumstances it may be possible to exploit it to gain root privileges remotely. Affected systems include BSDI 4.x, FreeBSD, IRIX, Linux with netkit-telnetd < 0.14, NetBSD, OpenBSD 2.x, and Solaris.

tags | overflow, root
systems | linux, netbsd, solaris, freebsd, irix, openbsd
SHA-256 | 4849ac76d26caec6f947c4879fceb873db9d4fbf399d4ebadda0a88587f6c0ba


Change Mirror Download
Hash: SHA1

- ------

TESO Security Advisory

Multiple vendor Telnet Daemon vulnerability


Within most of the current telnet daemons in use today there exist a buffer
overflow in the telnet option handling. Under certain circumstances it may
be possible to exploit it to gain root priviledges remotely.

Systems Affected

System | vulnerable | exploitable *
BSDI 4.x default | yes | yes
FreeBSD [2345].x default | yes | yes
IRIX 6.5 | yes | no
Linux netkit-telnetd < 0.14 | yes | ?
Linux netkit-telnetd >= 0.14 | no |
NetBSD 1.x default | yes | yes
OpenBSD 2.x | yes | ?
OpenBSD current | no |
Solaris 2.x sparc | yes | ?
<almost any other vendor's telnetd> | yes | ?

* = From our analysis and conclusions, which may not be correct or we may
have overseen things. Do not rely on this.

Details about the systems can be found below.


Through sending a specially formed option string to the remote telnet
daemon a remote attacker might be able to overwrite sensitive information
on the static memory pages. If done properly this may result in arbitrary
code getting executed on the remote machine under the priviledges the
telnet daemon runs on, usually root.


Within every BSD derived telnet daemon under UNIX the telnet options are
processed by the 'telrcv' function. This function parses the options
according to the telnet protocol and its internal state. During this
parsing the results which should be send back to the client are stored
within the 'netobuf' buffer. This is done without any bounds checking,
since it is assumed that the reply data is smaller than the buffer size
(which is BUFSIZ bytes, usually).

However, using a combination of options, especially the 'AYT' Are You There
option, it is possible to append data to the buffer, usually nine bytes
long. To trigger this response, two bytes in the input buffer are
necessary. Since this input buffer is BUFSIZ bytes long, you can exceed the
output buffer by as much as (BUFSIZ / 2) * 9) - BUFSIZ bytes. For the
common case that BUFSIZ is defined to be 1024, this results in a buffer
overflow by up to 3584 bytes. On systems where BUFSIZ is defined to be
4096, this is an even greater value (14336).

Due to the limited set of characters an attacker is able to write outside
of the buffer it is difficult - if not impossible on some systems - to
exploit this buffer overflow. Another hurdle for a possible attacker may be
the lack of interesting information to modify after the buffer.

This buffer overflow should be considered serious nevertheless, since
experience has shown that even complicated vulnerabilities can be
exploited by skilled attackers, BIND TSIG and SSH deattack come to mind.

We have constructed a working exploit for any version of BSDI, NetBSD and
FreeBSD. Exploitation on Solaris sparc may be possible but if it is, it is
very difficult involving lots of arcane tricks. OpenBSD is not as easily
exploitable as the other BSD's, because they do compile with other
options by default, changing memory layout.


The vendors have been notified of the problem at the same time as the
general public, vendor patches for your telnet daemon that fix the bug will
show up soon.

Sometimes a fix might not be trivial and require a lot of changes to the
source code, due to the insecure nature the 'nfrontp' pointer is handled.
The best long term solution is to disable the telnet daemon at all, since
there are good and free replacements.


The bug has been discovered by scut.

The tests and further analysis were done by smiler, lorian, zip and scut.

Contact Information

The TESO crew can be reached by mailing to teso@team-teso.net
Our web page is at http://www.team-teso.net/


[1] TESO


This advisory does not claim to be complete or to be usable for any
purpose. Especially information on the vulnerable systems may be inaccurate
or wrong. Possibly supplied exploit code is not to be used for malicious
purposes, but for educational purposes only.

This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should include
link [1].


Not this time. Not here.

- ------

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

Login or Register to add favorites

File Archive:

November 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    1 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    0 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    219 Files
  • 14
    Nov 14th
    19 Files
  • 15
    Nov 15th
    66 Files
  • 16
    Nov 16th
    38 Files
  • 17
    Nov 17th
    9 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    11 Files
  • 22
    Nov 22nd
    56 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    36 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    14 Files
  • 28
    Nov 28th
    30 Files
  • 29
    Nov 29th
    35 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By