[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd
|
From: |
Erik Auerswald |
|
Subject: |
Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV) |
|
Date: |
Sun, 28 Aug 2022 14:40:44 +0200 |
Hi all,
On Sat, Aug 27, 2022 at 07:37:15PM +0200, Erik Auerswald wrote:
>
> someone has described a remote DoS vulnerability in
> many telnetd implementations that I just happened to
> stumble over:
>
> https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
>
> The vulnerability is a NULL pointer dereference when
> reading either of two two byte sequences:
>
> 1: 0xff 0xf7
> 2: 0xff 0xf8
>
> The blog shows GNU Inetutils' telnetd as vulnerable:
>
> https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-inetutils
I have confirmed that sending either of the above two byte
sequences to telnetd spawned via inetd results in a NULL
pointer dereference in telnetd.
One way to send the byte sequence is to use xxd and netcat:
$ # inetd listening on 127.0.0.1:4711 starts telnetd
$ xxd -r -p <<<'fff7' | nc 127.0.0.1 4711 >/dev/null
$ xxd -r -p <<<'fff8' | nc 127.0.0.1 4711 >/dev/null
In debug mode, inetd reports "<PID> reaped, status 0x8b".
At least on my GNU/Linux system, "dmesg" reports the NULL
pointer dereference:
[<Timestamp>] telnetd[<PID>]: segfault at 0 [...]
I could not trigger this problem with the "telnet" client.
The blog post describes that after 256 crashes "inetd" no
longer starts telnetd, resulting in a DoS. With my simple
inetd test configuration (just one line to start telnetd
on 127.0.0.1:4711) and inetd running in debug mode ("-d"),
I could not reproduce this.
> [...]
> In GNU Inetutils, the code lines to dereference table
> entries without first checking for NULL are in lines
> 321 and 323 of file "telnetd/state.c". The variable
> "ch" declared in line 315 of this file needs to be
> initialized to "(cc_t) (_POSIX_VDISABLE)", because it
> may not be assigned any value if the table is not yet
> initialized.
>
> References:
>
> line 315:
> https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n315
> line 321:
> https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n321
> line 323:
> https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n323
>
> I have attached a completely untested, not even compile
> tested, patch to do this (just the code changes, no NEWS
> or commit log or anything). Please test before committing.
I have tested the patch now, it compiles and prevents the
crash by preventing the NULL pointer dereference.
> [...]
Thanks,
Erik