Date: Fri, 27 Jul 2001 15:18:11 -0600 (MDT) From: Paul Hart <hart@orem.verio.net> To: Jim Sander <jim@federation.addy.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Telnet exploit & 3.4-RELEASE Message-ID: <Pine.BSF.4.31.0107271504470.58774-100000@mx.dmz.orem.verio.net> In-Reply-To: <Pine.BSF.4.10.10107260939310.22770-100000@federation.addy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Jul 2001, Jim Sander wrote: > Telnet definitely functions, and the exploit doesn't seem to succeed- > but then it didn't work before either, so who knows for sure. The exploit posted to Bugtraq DOES work on FreeBSD 3.4-RELEASE but only if you selected to install an encrypting telnetd when you set the machine up. At installation time there is a prompt about whether you want to install DES software. If you select "Yes" and install the "krb" package you'll get a telnetd that understands using encryption, but unfortunately for you it's the exploitable one. The "regular" telnetd still has the overflow (which may or may not be exploitable) but the posted exploit by TESO targets encrypting versions that have the encrypt_output function pointer in the BSS after netobuf. The function pointer gets overwritten when netobuf overflows and that is the basis of the exploit. The regular telnetd (if that's the one you installed) doesn't have any such function pointer to exploit and thus isn't vulnerable to this particular exploit by TESO. Like I said though, the overflow is still present and it may or may not be exploitable by other means. Paul Hart -- Paul Robert Hart hart@orem.verio.net Jul ner lbh ernqvat guvf? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.31.0107271504470.58774-100000>