[BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (de

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (de

From:	Erik Auerswald
Subject:	[BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV)
Date:	Sat, 27 Aug 2022 19:37:15 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0

Hi all,

someone has described a remote DoS vulnerability in
many telnetd implementations that I just happened to
stumble over:


https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html

The vulnerability is a NULL pointer dereference when
reading either of two two byte sequences:

    1: 0xff 0xf7
    2: 0xff 0xf8

The blog shows GNU Inetutils' telnetd as vulnerable:


https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-inetutils

The blog post analyzes the issue as using a table
before this table has been initialized:


https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-root-cause-analysis

They show a patch against the FreeBSD 13.1 version
of telnetd to fix the two code paths, i.e., check
for NULL and don't dereference a NULL pointer.  Since
that might omit setting a variable before its use,
they add an initialization for said variable.

The FreeBSD patch works on different lines than need
to be changed in GNU Inetutils' telnetd, so it cannot
apply as is.

In GNU Inetutils, the code lines to dereference table
entries without first checking for NULL are in lines
321 and 323 of file "telnetd/state.c".  The variable
"ch" declared in line 315 of this file needs to be
initialized to "(cc_t) (_POSIX_VDISABLE)", because it
may not be assigned any value if the table is not yet
initialized.

References:

line 315:https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n315line 321:https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n321line 323:https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n323


I have attached a completely untested, not even compile
tested, patch to do this (just the code changes, no NEWS
or commit log or anything).  Please test before committing.

They write that they do not intend to contact the
maintainers:


https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#full-disclosure

Thus this email.

Thanks,
Erik

inetutils-telnetd-EC_EL_null_deref.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

[BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Erik Auerswald <=
- Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Erik Auerswald, 2022/08/28
  - Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Simon Josefsson, 2022/08/30
    - Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Erik Auerswald, 2022/08/31
  - Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV), Guillem Jover, 2022/08/30

Prev by Date: Re: [PATCH 3/3] telnet: Avoid command evaluation crashes.
Next by Date: Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV)
Previous by thread: Re: [PATCH 3/3] telnet: Avoid command evaluation crashes.
Next by thread: Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV)
Index(es):
- Date
- Thread