From owner-freebsd-security@FreeBSD.ORG Sun Feb 15 14:56:01 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id DD48C106566B for ; Sun, 15 Feb 2009 14:56:01 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id 383E614DBD7 for ; Sun, 15 Feb 2009 14:56:01 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: (qmail 51821 invoked from network); 15 Feb 2009 14:54:41 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 15 Feb 2009 14:54:41 -0000 Message-ID: <49982CB1.5040502@freebsd.org> Date: Sun, 15 Feb 2009 06:54:41 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.17 (X11/20081002) MIME-Version: 1.0 To: freebsd security X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: HEADS UP: telnetd exploit in the wild, advisory coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Feb 2009 14:56:02 -0000 Hi all, A semi-remote root exploit for telnetd was posted to the full-disclosure list yesterday: http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html Because the FreeBSD security team didn't get any advance notice of this, we're still investigating and don't have an official advisory or patches ready yet; we're working on it. Some basic information from our investigation so far, subject to change as we investigate further: * this affects telnetd in FreeBSD 7.0-RELEASE, 7.1-RELEASE, 7-STABLE, and 8-CURRENT. * telnetd is disabled by default; if it is enabled, this is normally done via inetd(8). * dragonflybsd is vulnerable to this exploit, but for a completely different reason. Don't try to use their patch -- it won't work. * in order to exploit this, an attacker needs to put a file somewhere on the vulnerable system with a known path. For an attacker who already has non-root access, this is obviously trivial; for an attacker without an account it may be possible to do this by sending an email to a user on the system, exploiting a CGI script, uploading a file via anonymous FTP, etc. I strongly recommend disabling telnetd on all FreeBSD 7.x and 8.x systems. Check that telnetd isn't running (`ps ax | grep telnetd | grep -v grep` should return nothing) and that it isn't enabled in inetd.conf (`grep telnetd /etc/inetd.conf | grep -v ^#` should return nothing). If you absolutely must run telnetd, use a firewall to restrict access to people whom you trust with root access. -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid