Subject: Re: telnetd exploit attempts.
To: Stephen M Jones <smj@cirr.com>
From: gabriel rosenkoetter <gr@eclipsed.net>
List: tech-security
Date: 09/05/2001 18:01:51
--MIdTMoZhcV1D07fI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Sep 05, 2001 at 04:48:37PM -0500, Stephen M Jones wrote:
> Its going that way and ultimately I'd like to cut out ftpd as well and
> just teach folks the magic of ssh and scp.  Honestly, it was intended=20
> and it just takes a little documentation, and something listening on
> ports 21 and  23 to inform folks of what they need to do. =20

That's clearly the best route to take. Perhaps with a little more
of the quickness in light of recent events. ;^>

> SA2001-012, applied to the source tree telnetd, I've not built it with
> debugging symbols on, but will do so now.  Monitoring logs I've seen
> about 158 ttloop: peer died: No such file or directory over the past
> two days.

I'm not positive that this was tested properly on all ports, and
it's plausible that it's seg faulting *because* you're on alpha
(though the idea that something committed to an in-tree daemon could
be 64bit unclean is a little troublesome).

But that error sounds distantly familiar (kind of like a failed
attempt at using the telnetd exploit in question).

Fwiw, I've been kind of ignoring this particular vulnerability,
not just because I don't run telnetd anywhere but also because I
have mostly mac68k and macppc machines. It's just not time effective
for someone to write shell code for either of those platforms unless
they're actively out to get me in particular. ;^>

> I'm not excessively paranoid about it.  Its a public system, I back
> everything up and I don't put (my own) critical files on it.  I do
> monitor file changes, new setuids across the farm .. but other than
> that, I don't stress over it. =20

Hopefully you do that monitoring on removeable media. ;^>

> I do have the source tree (minus the kernel) checked out and updated
> automatically .. Its not build without me doing it though.  Honestly,
> I'm not really interested in having a production machine track current
> beyond userlandish stuff).

I wasn't suggesting you track -current, but rather track the release
branch (currently named netbsd-1-5, as I mentioned), which sees
pull-ups from -current semi-regularly till releng freezes it. This
is all tested, safe code. Tracking it is slightly ahead of 1.5.1,
on the way to 1.5.2. Some time soon there'll probably be a separate
on-the-path-to-1.6 branch. But none of this is as volatile as
-current while being more recent than the last release (all of
several months old! gasp! ;^>)

> Well, I didn't want to make it too blatantly obvious.

Fair enough. :^>

--=20
       ~ g r @ eclipsed.net

--MIdTMoZhcV1D07fI
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7lqDO9ehacAz5CRoRAjicAJ9Xrk4Ca9MLU4VBINdTUHeLjMUY+ACfZo8N
qzk6+A4ztiU1NtuOovJfsKk=
=yqa8
-----END PGP SIGNATURE-----

--MIdTMoZhcV1D07fI--