[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : telnetd allows remote system resource consumption

Title: telnetd allows remote system resource consumption
Released by: FreeBSD
Date: 14th November 2000
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----



=============================================================================

FreeBSD-SA-00:69                                           Security Advisory

                                                                FreeBSD, Inc.



Topic:          telnetd allows remote system resource consumption.



Category:       core

Module:         telnetd

Announced:      2000-11-14

Credits:        Jouko Pynnonen 

Affects:        FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior

                to 4.2), FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior

                to the correction date.

Corrected:      2000-10-30 (FreeBSD 4.1.1-STABLE)

                2000-11-01 (FreeBSD 3.5.1-STABLE)

FreeBSD only:   NO



I.   Background



telnetd is the server for the telnet remote login protocol.



II.  Problem Description



The telnet protocol allows for UNIX environment variables to be passed

from the client to the user login session on the server.  However, some

of these environment variables have special meaning to the telnetd

child process itself and may be used to affect its operation.



Of particular relevance is the ability for remote users to cause an

arbitrary file on the system to be searched for termcap data by

passing the TERMCAP environment variable.  Although any file on the

local system can be read since the telnetd server runs as root, the

contents of the file will not be reported in any way to the remote

user unless it contains a valid termcap entry, in which case the

corresponding termcap sequences will be used to format the output sent

to the client.  It is believed there is no risk of data disclosure

through this vulnerability.



However, an attacker who forces the server to search through a large

file or to read from a device can cause resources to be spent by the

server, including CPU cycles and disk read bandwidth, which can

increase the server load and may prevent it from servicing legitimate

user requests.  Since the vulnerability occurs before the login(1)

utility is spawned, it does not require authentication to a valid

account on the server in order to exploit.



All released versions of FreeBSD prior to the correction date

including 4.0, 4.1, 4.1.1 and 3.5.1 are vulnerable to this problem,

but it was fixed in the 4.1.1-STABLE branch prior to the release of

FreeBSD 4.2-RELEASE.



III. Impact



Remote users without a valid login account on the server can cause

resources such as CPU and disk read bandwidth to be consumed, causing

increased server load and possibly denying service to legitimate

users.



IV.  Workaround



1) Disable the telnet service, which is usually run out of inetd:

comment out the following lines in /etc/inetd.conf, if present.



telnet  stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd



telnet  stream  tcp6    nowait  root    /usr/libexec/telnetd    telnetd



2) Impose access restrictions using TCP wrappers (/etc/hosts.allow),

or a network-level packet filter such as ipfw(8) or ipf(8) on the

perimeter firewall or the local machine, to limit access to the telnet

service to trusted machines.



V.   Solution



One of the following:



1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or

3.5.1-STABLE after the respective correction dates.



2) Apply the patch below and recompile the relevant files:



Either save this advisory to a file, or download the patch and

detached PGP signature from the following locations, and verify the

signature using your PGP utility.



http://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch

http://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch.asc



Execute the following commands as root:



# cd /usr/src/libexec/telnetd

# patch -p < /path/to/patch_or_advisory

# make depend && make all install



Patch for vulnerable systems:



    Index: sys_term.c

    ===================================================================

    RCS file: /mnt/ncvs/src/libexec/telnetd/sys_term.c,v

    retrieving revision 1.24

    retrieving revision 1.25

    diff -u -r1.24 -r1.25

    --- sys_term.c 1999/08/28 00:10:24 1.24

    +++ sys_term.c 2000/10/31 05:29:54 1.25

    @@ -1799,6 +1799,13 @@

         strncmp(*cpp, "_RLD_", 5) &&

         strncmp(*cpp, "LIBPATH=", 8) &&

     #endif

    +     strncmp(*cpp, "LOCALDOMAIN=", 12) &&

    +     strncmp(*cpp, "RES_OPTIONS=", 12) &&

    +     strncmp(*cpp, "TERMINFO=", 9) &&

    +     strncmp(*cpp, "TERMINFO_DIRS=", 14) &&

    +     strncmp(*cpp, "TERMPATH=", 9) &&

    +     strncmp(*cpp, "TERMCAP=/", 9) &&

    +     strncmp(*cpp, "ENV=", 4) &&

         strncmp(*cpp, "IFS=", 4))

     *cpp2++ = *cpp;

     }

    Index: telnetd.c

    ===================================================================

    RCS file: /mnt/ncvs/src/libexec/telnetd/telnetd.c,v

    retrieving revision 1.22

    retrieving revision 1.23

    diff -u -r1.22 -r1.23

    --- telnetd.c 2000/01/25 14:52:00 1.22

    +++ telnetd.c 2000/10/31 05:29:54 1.23

    @@ -811,7 +811,7 @@

     fatal(net, "Out of ptys");



     if ((pty = open(lp, 2)) >= 0) {

    - strcpy(line,lp);

    + strlcpy(line,lp,sizeof(line));

     line[5] = 't';

     break;

     }

    @@ -1115,7 +1115,7 @@

     IM = Getstr("im", &cp);

     IF = Getstr("if", &cp);

     if (HN && *HN)

    - (void) strcpy(host_name, HN);

    + (void) strlcpy(host_name, HN, sizeof(host_name));

     if (IF && (if_fd = open(IF, O_RDONLY, 000)) != -1)

     IM = 0;

     if (IM == 0)

    Index: utility.c

    ===================================================================

    RCS file: /mnt/ncvs/src/libexec/telnetd/utility.c,v

    retrieving revision 1.13

    retrieving revision 1.14

    diff -u -r1.13 -r1.14

    --- utility.c 1999/08/28 00:10:25 1.13

    +++ utility.c 2000/10/31 05:29:54 1.14

    @@ -330,7 +330,7 @@

     {

     char buf[BUFSIZ];



    - (void) sprintf(buf, "telnetd: %s.\r\n", msg);

    + (void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);

     (void) write(f, buf, (int)strlen(buf));

     sleep(1); /*XXX*/

     exit(1);

    @@ -343,7 +343,7 @@

     {

     char buf[BUFSIZ], *strerror();



    - (void) sprintf(buf, "%s: %s", msg, strerror(errno));

    + (void) snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));

     fatal(f, buf);

     }

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.4 (FreeBSD)

Comment: For info see http://www.gnupg.org



iQCVAwUBOhG9KFUuHi5z0oilAQHUZwP/Xmo3EDteE4HwZovAO6UFzNtc3xVsFaUr

Thf5XvpPThIOKmyYsUOL/kRbfnU3vJUdPA21uDYKyUEil5+x8+ZAuDzJXfMxHwu8

MMD1/d5QFfvuWN5W+/msdT7XKEjTmm4f09/tMxRAEyIMeKRj2H4gWxEGmaivJtvT

6bFKtbsSW1Q=

=UltL

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.