Subject: telnetd exploit?
To: None <>
From: Matt London <>
List: tech-security
Date: 07/19/2001 19:35:26

  I came across this at today, and I don't see
any posts about it in the archive so far...

    Within most of the current telnet daemons in use today there exist a buffer
    overflow in the telnet option handling. Under certain circumstances it may
    be possible to exploit it to gain root priviledges remotely.
Systems Affected

System                                  | vulnerable   | exploitable *
BSDI 4.x default                        |      yes     |       yes
FreeBSD [2345].x default                |      yes     |       yes
IRIX 6.5                                |      yes     |        no
Linux netkit-telnetd < 0.14             |      yes     |        ?
Linux netkit-telnetd >= 0.14            |       no     |
NetBSD 1.x default                      |      yes     |       yes
OpenBSD 2.x                             |      yes     |        ?
OpenBSD current                         |       no     |
Solaris 2.x sparc                       |      yes     |        ?
<almost any other vendor's telnetd>     |      yes     |        ?


    Through sending a specially formed option string to the remote telnet
    daemon a remote attacker might be able to overwrite sensitive information
    on the static memory pages. If done properly this may result in arbitrary
    code getting executed on the remote machine under the priviledges the
    telnet daemon runs on, usually root.


You can read the rest at the url above.

Just thought I'd mention it as noone else seems to have :&)

-- Matt

Web Page:

PGP Key fingerprint = 00BF 19FE D5F5 8EAD 2FD5  D102 260E 8BA7 EEE4 8D7F