Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:6843
HistorySep 19, 2004 - 12:00 a.m.

[Full-Disclosure] Debian netkit telnetd vulnerability

2004-09-1900:00:00
vulners.com
34
JSON

Exposure:

Remote root compromise through buffer handling flaws

Confirmed vulnerable:

Up-to-date Debian 3.0 woody (issue is Debian-specific)
Debian netkit-telnet-ssl-0.17.24+0.1 package
Debian netkit-telnet-ssl-0.17.17+0.1 package

Mitigating factors:

Telnet service must be running and accessible to the attacker.
Nowadays, telnet service presence on newly deployed Linux hosts is
relatively low. The service is still used for LAN access from other unix
platforms, and to host various non-shell services (such as MUDs).

Problem description:

Netkit telnetd implementation shipped with Debian Linux appears to be
lacking the AYT vulnerability patch. This patch was devised by Red Hat
(?) and incorporated into Debian packages, but later dropped.

This exposes the platform to a remote root problem discovered by scut of
TESO back in 2001 (CVE-2001-0554), as well as to other currently
unpublished flaws associated with the old buffer handling code, and
elliminated by the Red Hat's overhaul of buffer handling routines.

Based on a review of package changelogs, my best guess is that the patch
was accidentally dropped by Christoph Martin in December 2001, but I
have not researched the matter any further.

Vendor response:

I have contacted Debian security staff on August 29, and received a
confirmation of the problem from Matt Zimmerman shortly thereafter.

Since this is not a new flaw, I did not plan to release my own advisory,
hoping they will release a DSA bulletin and fix the problem. Three weeks
have passed, however, and Debian did not indicate any clear intent to
release the information any time soon. They did release nine other
advisories in the meantime, some of which were of lesser importance.

As such, I believe it is a good idea to bring the problem to public
attention, particularly since those running telnetd were and are,
unbeknownst to them, vulnerable to existing exploits.

Workaround:

Disable telnet service if not needed; manually apply Red Hat
netkit patches, or compile the daemon from Red Hat sources.

Note that netkit as such is no longer maintained by the author, and
hence obtaining the most recent source tarball (0.17) is NOT
sufficient. You may also examine other less popular telnetd
implementations, but be advised that almost all are heavily based on the
original code, and not always up-to-date with security fixes for that
codebase.

PS. Express your outrage: http://eprovisia.coredump.cx.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Related

nessus 7
openvas 8
cisco 2
cve 2
gentoo 1
cert 1
ubuntucve 1
debiancve 1
nessus
nessus
GLSA-200410-03 : NetKit-telnetd: buffer overflows in telnet and telnetd
2004-10-06 00:00:00
Mandrake Linux Security Advisory : telnet (MDKSA-2001:068)
2004-07-31 00:00:00
Debian DSA-070-1 : netkit-telnet - remote exploit
2004-09-29 00:00:00
openvas
openvas
Debian Security Advisory DSA 075-1 (netkit-telnet-ssl)
2008-01-17 00:00:00
TESO in.telnetd buffer overflow
2005-11-03 00:00:00
Debian Security Advisory DSA 070-1 (netkit-telnet)
2008-01-17 00:00:00
cisco
cisco
Cisco CatOS Telnet Buffer Vulnerability
2002-01-29 15:00:00
Cisco VPN 3000 Concentrator Multiple Vulnerabilities
2002-09-03 15:00:00
cve
cve
CVE-2001-0554
2001-08-14 04:00:00
CVE-2004-0911
2004-11-03 05:00:00
gentoo
gentoo
NetKit-telnetd: buffer overflows in telnet and telnetd
2004-10-05 00:00:00
cert
cert
Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options
2001-07-24 00:00:00
ubuntucve
ubuntucve
CVE-2004-0911
2004-11-03 00:00:00
debiancve
debiancve
CVE-2004-0911
2004-11-03 05:00:00
JSON
Related for SECURITYVULNS:DOC:6843
nessus7openvas8cisco2cve2gentoo1cert1ubuntucve1debiancve1