The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] SNI-20: Telnetd tgetent vulnerability (fwd)



Hi,

Could someone make sure that Debian is not vulnerable to this? They only
tested with RedHat and Slackware... 

Thanks,

  Christian

---------- Forwarded message ----------
Date: Tue, 21 Oct 1997 18:24:02 -0600 (MDT)
From: "Secure Networks Inc." <sni@silence.secnet.com>
Reply-To: linux-security@redhat.com
To: best-of-security@cyber.com.au, BUGTRAQ@netspace.org,
    linux-security@redhat.com
Subject: [linux-security] SNI-20: Telnetd tgetent vulnerability
Resent-Date: Wed, 22 Oct 1997 07:53:12 +0000
Resent-From: linux-security@redhat.com
Resent-cc: recipient list not shown:;@GI020X.goethe.de;@GI020X.goethe.de   ; ;


[mod: Executive summary: SNI found recent linux-distributions
not-vulnerable -- REW]


-----BEGIN PGP SIGNED MESSAGE-----

                        ######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                             October 21, 1997

                    in.telnetd tgetent buffer overflow


This advisory addresses a vulnerability in the tgetent(3) library
routine which allows an attacker to obtain root privileges by connecting
to a vulnerable system's telnet daemon.


Problem Description
~~~~~~~~~~~~~~~~~~~

A vulnerability in the tgetent(3) library routine can result in a
buffer overflow in the telnet daemon on some BSD derived systems.  By
uploading an alternate terminal capability database, an attacker
can exploit this vulnerability to gain unauthorized super-user access
to a vulnerable system, or to gain super-user access on a system
which they already have access to.

This problem can be exploited by mailing a file into the system, or
uploading a file via FTP.  Once this file has been transferred to the
remote system, the attacker must only be able to connect to the telnet
daemon, to obtain super-user access.


Technical Details
~~~~~~~~~~~~~~~~~

The tgetent(3) library call requires the passing in of a buffer in
which the terminal entry is stored.

   /*
    * Get an entry for terminal name in buffer bp from the termcap file.
    */
   int
   tgetent(bp, name)
           char *bp, *name;
   {

The tgetent(3) library call does no checking on the size of data which
is placed into the *bp buffer.  Many programs pass in a buffer of size
1024 bytes.  By creating a termcap terminal specification larger than
1024 bytes, we can overflow a buffer in the calling function.  If this
buffer is stored on the stack in the calling function, we can cause
arbitrary machine code to be executed.

The BSD telnet daemon calls the tgetent(3) function as follows:

   char buf[1024];

   if (terminaltype == NULL)
       return(1);

   if (tgetent(buf, s) == 0)
       return(0);
   return(1);

By specifying a terminal capability entry which is larger than 1024
bytes, an overflow occurs in the telnet daemon, allowing arbitrary
machine instructions to be executed.


Impact
~~~~~~

Remote individuals can obtain super-user access to any vulnerable system.
This vulnerability can allow remote users to obtain super-user access on
vulnerable systems, and can allow local users to obtain super-user access.


Vulnerable Systems
~~~~~~~~~~~~~~~~~~

BSD/OS (BSDI)

   Version 2.1 of BSD/OS is vulnerable
   Version 3.0 of BSD/OS is NOT vulnerable

   BSDI has issued a security fix which is currently in the testing
   phases and will be availible at the following location:

        ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-043

Solaris 2.x

   Solaris 2.x is NOT vulnerable to this problem

AIX

   AIX is NOT vulnerable to this problem

HP-UX

   HP-UX is NOT vulnerable to this problem

Linux

   The current versions of Linux which were tested include Slackware
   and Redhat, which appear to be NOT vulnerable.

IRIX

   IRIX appears to be NOT vulnerable.

NetBSD

   Current versions of NetBSD are not vulnerable.

FreeBSD

   Versions of FreeBSD newer than 2.1.5 are NOT vulnerable to this
   problem.  FreeBSD-current, FreeBSD 2.1.7 and FreeBSD 2.2.2 are NOT
   vulnerable.

OpenBSD

   Versions of OpenBSD newer than 2.0 are NOT vulnerable to this problem.


Additional Information
~~~~~~~~~~~~~~~~~~~~~~

This problem was discovered by Theo de Raadt <deraadt@openbsd.org>

You can contact Secure Networks Inc. at <sni@secnet.com> using
the following PGP key:

Type Bits/KeyID    Date       User ID
pub  1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
                              Secure Networks <security@secnet.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- -----END PGP PUBLIC KEY BLOCK-----

Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

 You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
 and advisories at ftp://ftp.secnet.com/advisories

 You can browse our web site at http://www.secnet.com

 You can subscribe to our security advisory mailing list by sending mail to
 majordomo@secnet.com with the line "subscribe sni-advisories"

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNE1O6bgIhFKeVQANAQG6UQP/ZmaI1E6yhEJKX8tdkwCMZt8GPATb7Ktx
dUW+aapmPiy1f4rOr1TpYg+ntBhQ7Rpifk/umJJ0mHNBwk0zUvnVXWS8OFZxDER/
6wshV0i3ZuVx+FGEqkV1dCDSgsygTieuf5hUGiVpWdpR4vtJ5oZhmzDJH2xOexNp
3bxn5PGOa8w=
=+I+e
-----END PGP SIGNATURE-----

--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null



--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .