-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2001-012
                 =================================

Topic:    telnetd(8) options overflow

Version:  All NetBSD releases prior to 2001-07-19

Severity:  remote root from any host which can connect to telnetd(8)

Fixed:    NetBSD-current:    2001-07-19
    NetBSD-1.5 branch:  2001-07-29
    NetBSD-1.4 branch:  Supplied patch (see below).

    A patch is provided for all releases that will fix
    the problem.  Pullups to other branches are
    anticipated, see 'More Information' below for how to
    track this progress.

Abstract
========

A buffer overflow existed in the telnetd(8) program. Any client
connecting could cause the telnetd instance to SEGV, and possibly
to execute arbitrary code as root.


Technical Details
=================

Technical details of the vulnerabilities are publicised in
CERT Advisory CA-2001-21:
  http://www.cert.org/advisories/CA-2001-21.html

A strong indication of attempted exploitation of this bug may be found
by examining log entries sent to the syslogd(8) system logger facility
DAEMON (which is stored in /var/log/messages by default) of the form:
  telnetd \[[0-9]*\]: ttloop: peer died: No such file or directory


Solutions and Workarounds
=========================

telnetd(8) has been shipped disabled since June 2000, including the
NetBSD 1.5 and 1.5.1 releases, and -current after that date.

If you are running an earlier release, or have re-enabled telnetd(8)
in 1.5.x, disable it now by commenting out the line beginning with
telnetd(8) in /etc/inetd.conf, and kill -HUP your inetd process.

As a reminder, unless you are running on a private network, telnet
exposes your passwords to the Internet. Even on a private network,
passwords may be exposed to inappropriate individuals. Use a strong,
secure protocol, such as Secure Shell instead.

The following instructions describe how to upgrade your telnetd(8)
by updating your source tree and rebuilding and installing a new
version of telnetd(8).

* NetBSD -current, 1.5, 1.5.1:

  Systems running NetBSD-current dated from before 2001-07-19
  should be upgraded to NetBSD-current dated 2001-07-20 or later.

  Systems running NetBSD 1.5 or 1.5.1 dated from before
  2001-07-29 should be upgraded to NetBSD 1.5.x sources dated
  2001-07-30 or later.

  The following directory needs to be updated from the
  netbsd-current CVS branch (aka HEAD) for NetBSD-current,
  or netbsd-1-5 CVS branch for NetBSD 1.5 or 1.5.1:
    src/libexec/telnetd

  To update from CVS, re-build, and re-install telnetd(8):
    # cd src/libexec/telnetd
    # cvs update -d -P
    # make cleandir dependall install


  Alternatively, apply the following patch (with potential offset
  differences) and rebuild & re-install telnetd(8):
    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-012-telnetd.patch

  To patch, re-build and re-install telnetd(8):
    # cd src/libexec/telnetd
    # patch < /path/to/SA2001-012-telnetd.patch
    # make cleandir dependall install


* NetBSD 1.3, 1.3.x, 1.4, 1.4.x:

  Systems running NetBSD releases up to and including 1.5.1 should
  apply the following patch (with potential offset differences):
    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-012-telnetd.patch

  To patch, re-build and re-install telnetd(8):
    # cd src/libexec/telnetd
    # patch < /path/to/SA2001-012-telnetd.patch
    # make cleandir dependall install


  The anonymous CVS branch netbsd-1-4 should be updated with a
  fix in the near future.


Thanks To
=========

TESO for the advisory.

Jason Thorpe <thorpej@netbsd.org> for analysis.

Krister Walfridsson <kristerw@netbsd.org> for testing.

Jun-ichiro Hagino <itojun@netbsd.org> for a fix in NetBSD-current
from the Heimdal telnetd sources, by way of OpenBSD.

David Maxwell <david@netbsd.org> for the fix for previous releases.


Revision History
================

  2001-07-25  Initial revision.

  2001-07-25  Info on how to detect exploit attempts.

  2001-08-08  Update for netbsd-1-5 pullup.


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-012.txt,v 1.13 2001/08/08 01:22:37 lukem Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO3s4kD5Ru2/4N2IFAQFa2QP+PmmIoD/0tCgJaesTJCeydCQQovak4grx
aWcvY1Kqauv5gueSJ4w+vMUOK2BOsK/Ny0ViIZtfgExELFn1585UPhAbSbYeFA5j
g5i4jYrFNYWYvJwgRhHWtg81nsW/7urLu0SUnurdSAa5TpdifKJNZmAtqlpfE+ke
TxXOmk838ho=
=Mr89
-----END PGP SIGNATURE-----