Date: Thu, 16 Apr 1998 14:24:31 +0400 (MSD) From: Andrew Maltsev <am@amsoft.ru> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/6317: telnet cannot be set to binary transparent mode Message-ID: <199804161024.OAA01033@amsoft.ru>
next in thread | raw e-mail | index | archive | help
>Number: 6317
>Category: bin
>Synopsis: with -8E flags telnet still goes to command mode on 0xff
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 16 03:30:02 PDT 1998
>Last-Modified:
>Originator: Andrew Maltsev
>Organization:
AM'SOFT
>Release: FreeBSD 2.2.6-STABLE i386 (and current)
>Environment:
FreeBSD as of stable and current
>Description:
When telnet is set to -8E mode (binary, no escape char) it is still
possible to go to command mode by sending 0xff char.
Because it's common to use such flags to make reliable `jumps' to
another hosts (ie anonymous) such bug gives user a chance to get shell
access. On poorly configured host even root shell access.
>How-To-Repeat:
say `telnet -8E localhost' and enter 0xff symbol from keyboard
(alt+2,5,5 on syscons)
>Fix:
here is patch for current telnet:
Index: commands.c
===================================================================
RCS file: /.1/FreeBSD/CVS/src/usr.bin/telnet/commands.c,v
retrieving revision 1.9
diff -c -r1.9 commands.c
*** commands.c 1998/02/20 04:33:02 1.9
--- commands.c 1998/04/16 10:13:09
***************
*** 405,411 ****
static int
send_esc()
{
! NETADD(escape);
return 1;
}
--- 405,412 ----
static int
send_esc()
{
! if(escapable)
! NETADD(escape);
return 1;
}
***************
*** 938,944 ****
printf("Telnet rlogin escape character is '%s'.\n",
control(rlogin));
} else {
! escape = (s && *s) ? special(s) : _POSIX_VDISABLE;
printf("Telnet escape character is '%s'.\n", control(escape));
}
}
--- 939,951 ----
printf("Telnet rlogin escape character is '%s'.\n",
control(rlogin));
} else {
! if(s && *s) {
! escape = special(s);
! escapable = 1;
! } else {
! escape = _POSIX_VDISABLE;
! escapable = 0;
! }
printf("Telnet escape character is '%s'.\n", control(escape));
}
}
***************
*** 1010,1015 ****
--- 1017,1025 ----
value = _POSIX_VDISABLE;
}
*(ct->charp) = (cc_t)value;
+ if(ct->charp == &escape) /* special workaround - i'm too lazy */
+ /* to add yet another handler (am@) */
+ escapable = !(value == _POSIX_VDISABLE);
printf("%s character is '%s'.\n", ct->name, control(*(ct->charp)));
}
slc_check();
***************
*** 1330,1338 ****
printf("new escape character: ");
(void) fgets(buf, sizeof(buf), stdin);
arg = buf;
}
! if (arg[0] != '\0')
escape = arg[0];
if (!In3270) {
printf("Escape character is '%s'.\n", control(escape));
}
--- 1340,1354 ----
printf("new escape character: ");
(void) fgets(buf, sizeof(buf), stdin);
arg = buf;
+ if (*buf=='\n') arg++;
}
! if (arg[0] != '\0') {
escape = arg[0];
+ escapable = 1;
+ } else {
+ escape = _POSIX_VDISABLE;
+ escapable = 0;
+ }
if (!In3270) {
printf("Escape character is '%s'.\n", control(escape));
}
Index: externs.h
===================================================================
RCS file: /.1/FreeBSD/CVS/src/usr.bin/telnet/externs.h,v
retrieving revision 1.3
diff -c -r1.3 externs.h
*** externs.h 1997/01/07 19:47:56 1.3
--- externs.h 1998/04/16 09:55:57
***************
*** 148,153 ****
--- 148,154 ----
clienteof; /* Client received EOF */
extern cc_t escape; /* Escape to command mode */
+ extern short escapable; /* Escape allowed? */
extern cc_t rlogin; /* Rlogin mode escape character */
#ifdef KLUDGELINEMODE
extern cc_t echoc; /* Toggle local echoing */
Index: main.c
===================================================================
RCS file: /.1/FreeBSD/CVS/src/usr.bin/telnet/main.c,v
retrieving revision 1.6
diff -c -r1.6 main.c
*** main.c 1997/03/29 04:32:57 1.6
--- main.c 1998/04/16 09:54:57
***************
*** 141,147 ****
eight = 3; /* binary output and input */
break;
case 'E':
! rlogin = escape = _POSIX_VDISABLE;
break;
case 'K':
#ifdef AUTHENTICATION
--- 141,148 ----
eight = 3; /* binary output and input */
break;
case 'E':
! rlogin = _POSIX_VDISABLE;
! set_escape_char(NULL);
break;
case 'K':
#ifdef AUTHENTICATION
Index: telnet.c
===================================================================
RCS file: /.1/FreeBSD/CVS/src/usr.bin/telnet/telnet.c,v
retrieving revision 1.5
diff -c -r1.5 telnet.c
*** telnet.c 1998/02/20 04:34:08 1.5
--- telnet.c 1998/04/16 09:59:38
***************
*** 110,115 ****
--- 110,116 ----
char *prompt = 0;
+ short escapable;
cc_t escape;
cc_t rlogin;
#ifdef KLUDGELINEMODE
***************
*** 188,193 ****
--- 189,195 ----
/* Don't change NetTrace */
+ escapable = 1;
escape = CONTROL(']');
rlogin = _POSIX_VDISABLE;
#ifdef KLUDGELINEMODE
***************
*** 1969,1975 ****
command(0, "z\n", 2);
continue;
}
! if (sc == escape) {
command(0, (char *)tbp, tcc);
bol = 1;
count += tcc;
--- 1971,1977 ----
command(0, "z\n", 2);
continue;
}
! if (escapable && sc == escape) {
command(0, (char *)tbp, tcc);
bol = 1;
count += tcc;
***************
*** 1986,1992 ****
}
if ((sc == '\n') || (sc == '\r'))
bol = 1;
! } else if (sc == escape) {
/*
* Double escape is a pass through of a single escape character.
*/
--- 1988,1994 ----
}
if ((sc == '\n') || (sc == '\r'))
bol = 1;
! } else if (escapable && sc == escape) {
/*
* Double escape is a pass through of a single escape character.
*/
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804161024.OAA01033>