{"vuid":"VU#745371","idnumber":"745371","name":"Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options","keywords":["telnet daemon","telnetd","buffer overflow","crafted command line arguments","telrcv","AYT","Are You There","BUFSIZ"],"overview":"The telnetd program is a server for the telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. This vulnerability can crash the server, or be leveraged to gain root access.","clean_desc":"There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. The buffer overflow occurs in the server's processing of protocol options. A function of the telnet daemon, 'telrcv', processes the protocol options. During the processing of the options, the results of 'telrcv' are assumed to be smaller than an unchecked storage buffer. The size of this buffer is statically defined. TESO claims that they have a working exploit for the BSDI, FreeBSD, and NetBSD versions affected(see http://www.team-teso.net/advisories/teso-advisory-011.tar.gz). Their exploit has been publicly posted on the BugTraq mailing list. We have verified the exploit works against at least one target system. According to a TESO advisory, the following systems with telnetd running are vulnerable to the buffer overflow: - BSDI 4.x default\n- FreeBSD [2345].x default\n- IRIX 6.5\n- Linux netkit-telnetd version 0.14 and earlier\n- NetBSD 1.x default\n- OpenBSD 2.x\n- Solaris 2.x sparc TESO indicates that other vendor's telnet daemons have a high probability of being vulnerable as well. FreeBSD has confirmed the following releases are vulnerable: \"All releases of FreeBSD 3.x, 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date.\"","impact":"An intruder can execute arbitrary code as the user running telnetd, typically root.","resolution":"Install a patch from your vendor when available. Please continue to check this document for information available from the CERT/CC.","workarounds":"Disallow access to the telnet service (typically port 23/tcp) using firewall or packet-filtering technology. Blocking access to the telnet service will limit your exposure to attacks from outside your network perimeter. However, blocking port 23/tcp at a network perimeter would still allow any users, remote or local, within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements prior to deciding what changes are appropriate.","sysaffected":"","thanks":"The CERT Coordination Center thanks TESO, who published an advisory on this issue. We would also like to thank Jeff Polk <polk@BSDI.COM> for technical assistance.","author":"This document was written by Ian A. Finlay & Jason Rafail.","public":["http://www.securityfocus.com/bid/3064","http://www.team-teso.net/advisories/teso-advisory-011.tar.gz","ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc"],"cveids":["CVE-2001-0554"],"certadvisory":"CA-2001-21","uscerttechnicalalert":null,"datecreated":"2001-07-19T14:31:11Z","publicdate":"2001-07-18T00:00:00Z","datefirstpublished":"2001-07-24T21:41:53Z","dateupdated":"2002-04-16T19:36:57Z","revision":42,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"15","cam_population":"20","cam_impact":"19","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"74.8125","cam_scorecurrentwidelyknown":"74.8125","cam_scorecurrentwidelyknownexploited":"117.5625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":74.8125,"vulnote":null}