Linux telnetd is very buggy, whether or not it is exploitable is a different
story. By sending many AYT's, you overwrite the netoprintf variable with the
string "\r\n[ hostname : yes]\r\n", which will eventually cause a crash when
it hits something important. First off, some background:
The telnetd I tested was from the SuSE 7.1 netkit package (0.5.1), I am not
sure what the "real" version of this code is.
The telnetd bug is not immediately exploitable through the initial buffer
overflow, yes you can smash the stack, but no you cant control the data.
[ nkit-0.5.1/telnetd/utility.c line 55 ]
_______________________________
void
netoprintf(const char *fmt, ...)
{
int len, maxsize;
va_list ap;
int done=0;
while (!done) {
maxsize = sizeof(netobuf) - (nfrontp - netobuf);
va_start(ap, fmt);
len = vsnprintf(nfrontp, maxsize, fmt, ap); /* overflow is here */
va_end(ap);
if (len<0 || len==maxsize) {
/* didn't fit */
netflush();
}
else {
done = 1;
}
}
nfrontp += len; /* no sanity checks are done */
}
_______________________________
By sending around 2000 "ayt" requests at once, the nfrontp pointer is moved
far enough to smash the return address. An interesting side effect is the
maxsize variable starts going into the negatives, alhtough it doesnt seem to
affect the *nprintf functions..
A remote attacker cannot control the fmt string or argument passed to this
function, with the "ayt" overflow, they are:
fmt = "\r\n[%s : yes]\r\n"
args = HOSTNAME (whatever the hostname is)
[ this is the current stack, we overflow netobuf ]
netobuf (8254)
pcc (30)
ptyobuf (8254)
ncc (30)
subbuffer (510)
envinit (30)
progname (30)
ptyibuf (???)
Gcc seems to be alocating 30 bytes to each integer, whether this is because
of the -ggdb options I compiled with or some normal padding, I don't know. A
normal (4000 ayt's) only seems to get about halfway into subbuffer before the
program exits.
pcc and ncc are int's
pcc = read from tty byte count
ncc = read from network byte count
ptyobuf = pty output buffer
How to calculate the number of bytes each AYT request causes to be written to
netoprintf:
(strlen(hostname) + 12) * ayt
To exploit this, you would need to use the AYT overflow to overwrite one of
the internal stack variables (and create a secondary vulnerability), then
exploit this newly created vulnerability to launch a shell.
The path to /bin/login is stored under the memory address we can write to, so
there is no chance of just rewriting /bin/login to /bin/sh or something ;)
Any ideas on how to exploit this?
-HD
http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)
On Tuesday 31 July 2001 12:52 am, Dawes, Rogan (ZA - Johannesburg) wrote:
> [Resent after 4 days passed and not seen on the list]
>
> Hi,
>
> I ran the Perl code supplied by David Maxwell (on Bugtraq) against Linux
> with telnet 0.17-7,
> and saw some funny results.
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 11:36:58 PDT