On Tue, Jul 24, 2001 at 04:55:49PM +1000, Steffen Kluge wrote: > > OpenBSD current | no | ^^^^ I'm not so sure about this one. OpenBSD-current (post 2.9) contains the heimdal telnetd code, which incompletely fixes the handling of the output buffers (under certain conditions it looks like the buffers can still be overflowed). The initial (unofficial) patch posted to the FreeBSD-security list last week was also a port of the heimdal telnetd code with the same (flawed) semantics for output_data() and netflush(), and I had a report yesterday of someone being compromised with that preliminary patch in place. The official patch published with our advisory is believed to fix things properly. OpenBSD 2.9's telnetd is also full of code like this: if (TELOPT_OK(option)) sprintf(nfrontp, "%s %s\r\n", fmt, TELOPT(option)); else if (TELCMD_OK(option)) sprintf(nfrontp, "%s %s\r\n", fmt, TELCMD(option)); else sprintf(nfrontp, "%s %d\r\n", fmt, option); nfrontp += strlen(nfrontp); return; which is the signature of the problem reported by TESO. I wouldn't be at all surprised if there were further problems there. For the sake of the OpenBSD users this needs to be investigated further. > > Solaris 2.x sparc | yes | ? > > <almost any other vendor's telnetd> | yes | ? > > ----------------------------------------+--------------+------------------ > > Is there a test available that would allow verification of > vulnerability on various platforms? I'm thinking of network > devices like routers, do their telnet servers tend to be based > on the vulnerable code base? Chances are, yes. The vulnerability goes back at least to 4.2BSD. Kris
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 14:55:22 PDT