tech-security: NetBSD Security Advisory 2001-012: telnetd(8) options overflow

Subject: NetBSD Security Advisory 2001-012: telnetd(8) options overflow
To: None <tech-security@netbsd.org, current-users@netbsd.org,>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: tech-security
Date: 07/25/2001 23:52:10
-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2001-012
                 =================================

Topic:		telnetd(8) options overflow

Version:	All NetBSD releases prior to 2001-07-19.

Severity:	remote root from any host which can connect to telnetd(8)

Fixed:		NetBSD-current:		2001-07-19.
		NetBSD-1.5 branch:	Supplied patch (see below).
		NetBSD-1.4 branch:	Supplied patch (see below).

		A patch is provided for all releases that will fix
		the problem.  Pullups to other branches are
		anticipated, see 'More Information' below for how to
		track this progress.

Abstract
========

A buffer overflow existed in the telnetd(8) program. Any client
connecting could cause the telnetd instance to SEGV, and possibly
to execute arbitrary code as root.


Technical Details
=================

Technical details of the vulnerabilities are publicised in
CERT Advisory CA-2001-21:
	http://www.cert.org/advisories/CA-2001-21.html

A strong indication of attempted exploitation of this bug may be found
by examining log entries sent to the syslogd(8) system logger facility
DAEMON (which is stored in /var/log/messages by default) of the form:
	telnetd \[[0-9]*\]: ttloop: peer died: No such file or directory


Solutions and Workarounds
=========================

telnetd(8) has been shipped disabled since June 2000, including the
NetBSD 1.5 and 1.5.1 releases, and -current after that date.

If you are running an earlier release, or have re-enabled telnetd(8)
in 1.5.x, disable it now by commenting out the line beginning with
telnetd(8) in /etc/inetd.conf, and kill -HUP your inetd process.

As a reminder, unless you are running on a private network, telnet
exposes your passwords to the Internet. Even on a private network,
passwords may be exposed to inappropriate individuals. Use a strong,
secure protocol, such as Secure Shell instead.

The following instructions describe how to upgrade your telnetd(8)
by updating your source tree and rebuilding and installing a new
version of telnetd(8).

* NetBSD-current:

	Systems running NetBSD-current dated from before 2001-07-19
	should be upgraded to NetBSD-current dated 2001-07-20 or later.

	The following directory needs to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/libexec/telnetd

	To update from CVS, re-build, and re-install telnetd(8):
		# cd src/libexec/telnetd
		# cvs update -d -P
		# make cleandir dependall install


	Alternatively, apply the following patch (with potential offset
	differences) and rebuild & re-install telnetd(8):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-012-telnetd.patch

	To patch, re-build and re-install telnetd(8):
		# cd src/libexec/telnetd
		# patch < SA2001-012-telnetd.patch
		# make cleandir dependall install


* NetBSD 1.3, 1.3.x, 1.4, 1.4.x, 1.5, 1.5.1

	Systems running NetBSD releases up to and including 1.5.1 should
	apply the following patch (with potential offset differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-012-telnetd.patch

	To patch, re-build and re-install telnetd(8):
		# cd src/libexec/telnetd
		# patch < SA2001-012-telnetd.patch
		# make cleandir dependall install


	The anonymous CVS branchs netbsd-1-4 and netbsd-1-5 should be
	updated with a fix in the near future.


Thanks To
=========

TESO for the advisory.

Jason Thorpe <thorpej@netbsd.org> for analysis.

Krister Walfridsson <kristerw@netbsd.org> for testing.

Jun-ichiro Hagino <itojun@netbsd.org> for a fix in NetBSD-current
from the Heimdal telnetd sources, by way of OpenBSD.

David Maxwell <david@netbsd.org> for the fix for previous releases.


Revision History
================

	2001-07-25	Initial revision.

	2001-07-25	Info on how to detect exploit attempts.


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-012.txt,v 1.12 2001/07/25 13:09:47 lukem Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO17FAz5Ru2/4N2IFAQFDSwP/U8mVWa8bxZDj9/1jpyfJ4DkYTjTUBqty
TVfqAlEfCJuFe7ftdNds9915yOEYWiqP6xYg3gZKn8c+4UqSQttXpZPW3QIuxg/k
hAiZ3IToWdAKq20YdqbA/BAV3wqHAd0cB8Hu/p1kfuq2rsF5kY0PvTb8z9njGsMJ
Rh7fC+Xyh/c=
=q48s
-----END PGP SIGNATURE-----