On Tue, Jul 24, 2001 at 02:51:24PM -0700, Kris Kennaway wrote: > > > Solaris 2.x sparc | yes | ? > > > <almost any other vendor's telnetd> | yes | ? > > > ----------------------------------------+--------------+------------------ > > > > Is there a test available that would allow verification of > > vulnerability on various platforms? I'm thinking of network > > devices like routers, do their telnet servers tend to be based > > on the vulnerable code base? > > Chances are, yes. The vulnerability goes back at least to 4.2BSD. I was just talking to David Borman from BSDi about this. Apparently the vulnerability discovered by TESO was introduced around the 4.3BSD timeframe, since it requires passing exploit code in via environment variables (the relevant telnet option to do this wasn't around before then). The 4.2BSD code plays the same dangerous games with sprintf() and manually incrementing the nfrontp pointer, but in the absence of a way to inject your shellcode all you can probably do it crash the telnetd. Kris
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 16:39:28 PDT