[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] ALERT: remote root exploit in telnet daemon
- To: linux-security
- Subject: [linux-security] ALERT: remote root exploit in telnet daemon
- From: Martin Siegert <siegert@sfu.ca>
- Date: Thu, 9 Aug 2001 12:21:33 -0700
- User-Agent: Mutt/1.2.5i
Topic
=====
remote root exploit in in.telnetd
Problem Description
===================
Linux' telnet daemon versions <= 0.17 is vulnerable to a remote root
exploit. Exploit code has just been published. Immediate action is
strongly advisable (see workaround).
Affected Systems
================
systems that have telnetd installed and enabled in /etc/inetd.conf
or /etc/xinetd.d/telnet.
Affected versions: netkit-telnet-0.x with x <= 17. this package may
also be called telnet-server-0.1x or similar.
Workaround (recommended!)
=========================
Disable telnet and use ssh instead:
If you are using inetd (e.g., RH 6.2) edit /etc/inetd.conf
and comment out the telnet line. Then "kill -HUP <inetd pid>", where
<inetd pid> is the PID (process id) of the inetd process as shown by, e.g.,
the ps command.
If you are using xinetd (e.g., RH 7.x) edit /etc/xinetd.d/telnet and set
disable = yes
After that restart xinetd (e.g., "/etc/rc.d/init.d/xinetd restart").
After disabling telnetd you still can telnet from your box to other
machines. You just cannot telnet into your box anymore.
For security reasons you should use ssh anyway.
Solution
========
I have not seen any new releases for telnetd for any Linux distribution.
However, the authors of the exploit attached a patch for telnetd that fixes
the buffer overflow. Thus if you cannot switch off telnet and wait until
a new telnet package is released for your distribution, you could patch
the telnetd source code using the appended patch and recompile telnetd.
Patch
======<cut here: netkit-telnet-0.17-ayt.patch>============================
--- netkit-telnet-0.17/telnetd/utility.c.ayt Wed Aug 8 16:33:01 2001
+++ netkit-telnet-0.17/telnetd/utility.c Wed Aug 8 17:20:39 2001
@@ -56,18 +56,25 @@
void
netoprintf(const char *fmt, ...)
{
- int len, maxsize;
+ int len = 0, maxsize;
va_list ap;
int done=0;
while (!done) {
maxsize = sizeof(netobuf) - (nfrontp - netobuf);
+ if (maxsize < 0) {
+ /* no way this is gonna fit - try to flush some */
+ netflush();
+ maxsize = sizeof(netobuf) - (nfrontp - netobuf);
+ if (maxsize < 0)
+ break;
+ }
va_start(ap, fmt);
len = vsnprintf(nfrontp, maxsize, fmt, ap);
va_end(ap);
- if (len<0 || len==maxsize) {
+ if (len<=0 || len==maxsize) {
/* didn't fit */
netflush();
}
--- netkit-telnet-0.17/telnetd/telnetd.c.ayt Wed Aug 8 16:33:01 2001
+++ netkit-telnet-0.17/telnetd/telnetd.c Wed Aug 8 17:21:44 2001
@@ -1277,7 +1277,7 @@
return;
}
#endif
- netoprintf("\r\n[%s : yes]\r\n", host_name);
+ netoprintf("\r\n[Yes]\r\n");
}
void doeof(void) {