Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Feb 2009 06:54:41 -0800
From:      FreeBSD Security Officer <cperciva@freebsd.org>
To:        freebsd security <freebsd-security@freebsd.org>
Subject:   HEADS UP: telnetd exploit in the wild, advisory coming soon
Message-ID:  <49982CB1.5040502@freebsd.org>

next in thread | raw e-mail | index | archive | help
Hi all,

A semi-remote root exploit for telnetd was posted to the full-disclosure list
yesterday:
http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html

Because the FreeBSD security team didn't get any advance notice of this, we're
still investigating and don't have an official advisory or patches ready yet;
we're working on it.

Some basic information from our investigation so far, subject to change as we
investigate further:
* this affects telnetd in FreeBSD 7.0-RELEASE, 7.1-RELEASE, 7-STABLE, and 8-CURRENT.
* telnetd is disabled by default; if it is enabled, this is normally done via
inetd(8).
* dragonflybsd is vulnerable to this exploit, but for a completely different
reason.  Don't try to use their patch -- it won't work.
* in order to exploit this, an attacker needs to put a file somewhere on the
vulnerable system with a known path.  For an attacker who already has non-root
access, this is obviously trivial; for an attacker without an account it may
be possible to do this by sending an email to a user on the system, exploiting
a CGI script, uploading a file via anonymous FTP, etc.

I strongly recommend disabling telnetd on all FreeBSD 7.x and 8.x systems.
Check that telnetd isn't running (`ps ax | grep telnetd | grep -v grep` should
return nothing) and that it isn't enabled in inetd.conf (`grep telnetd
/etc/inetd.conf | grep -v ^#` should return nothing).  If you absolutely must
run telnetd, use a firewall to restrict access to people whom you trust with
root access.

-- 
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49982CB1.5040502>