bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-inetutils] Telnet client command parsing bugs


From: Peter Kasza
Subject: [bug-inetutils] Telnet client command parsing bugs
Date: Mon, 5 Jun 2017 20:49:30 +0200
User-agent: Mutt/1.6.0.1 (2016-04-01)

Hi all,

I've been playing around with afl-fuzz[1] over the weekend and I've
discovered several bugs in the command parsing routine of the telnet
client. I've evaluated these from a security standpoint since the
telnet client is present in many appliances that disallow the user to
directly execute shell commands on the system.

None of the discovered issues are exploitable; however the analysis
below should provide enough information to fix them.

I've attached the input files that can be used to trigger the issues.

* Obtained crashes
  - inetutils-1.9.4/telnet/commands.c:162:      *argp++ = cp; // XXX CRASH 
HERE: BUFFER-OVERFLOW; 
testdata/crashes/id:000012,sig:06,src:000467,op:havoc,rep:32
  - inetutils-1.9.4/telnet/commands.c:201:  *argp++ = 0; // XXX CRASH HERE: 
BUFFER-OVERFLOW; testdata/crashes/id:000002,sig:06,src:000182,op:havoc,rep:8
  - inetutils-1.9.4/telnet/commands.c:1225:       *(ct->charp) = 
_POSIX_VDISABLE; // XXX CRASH HERE: SEGV; 
testdata/crashes/id:000009,sig:06,src:000230,op:arith8,pos:5,val:+25
  - inetutils-1.9.4/telnet/commands.c:3052:     printf ("%s\n", c->help); // 
XXX CRASH HERE: SEGV; 
testdata/crashes/id:000013,sig:06,src:000210,op:flip1,pos:21

** Segmentation faults
Telnet seems to crash at [commands.c:1225] and [commands.c:3052] with a
segmentation fault. None of the addresses seem to be controllable by
an attacker, so no potential security vulnerabilities.

  - The first crash seems to read the charp field from the last element of
  the *Setlist* array which is the guard element and is set to zero in the
  source.

  - The second crash is very similar, however it crashes trying to access
  the guard element of the *cmdtab2* array.

** Buffer overflows
Both identified buffer overflows occur in the *makeargv* function at
[commands.c:162] and [commands.c:201]. From these, the first crash
seems to contain an out of bounds write that could be exploitable. The
other one just writes out a zero to the memory address.

   Breakpoint 1, makeargv () at commands.c:162
   162           *argp++ = cp; // XXX CRASH HERE: BUFFER-OVERFLOW; 
testdata/crashes/id:000012,sig:06,src:000467,op:havoc,rep:32
   (gdb) bt
   #0  makeargv () at commands.c:162
   #1  0x0804c8cb in command (top=1, tbuf=0x0, cnt=0) at commands.c:2981
   #2  0x08049d77 in main (argc=0, argv=0xbffff668) at main.c:414

The *makeargv* subroutine is called from the *command* function that
reads in commands from stdin and stores it in the *line* buffer. The
lines are read using fgets, and the proper buffer length is passed in.

   commands.c:2969: if (fgets (line, sizeof (line), stdin) == NULL)

Since the line buffer is 256 elements in size, we cannot pass in
longer commands than 255 bytes.

   commands.c:135: static char line[256];
   commands.c:136: static char saveline[256];
   commands.c:137: static int margc;
   commands.c:138: static char *margv[20];

However if we specify one character arguments we can pass in at most
128 elements. The *makeargv* function tokenizes the command and stores
the arguments in *margv*. We can overflow *margv* by (128 - 20) * 4,
which overwrites *margc*, *saveline* and part of the original line
buffer.

This doesn't seem to result in a security vulnerability currently, but
it can become a serious issue if the *margv* and *margc* values are
ever moved in to the *makeargv* function as stack variables.

The current code allows an attacker to leak out the memory address
taken up by the arguments by prefixing a command with "!" and
overwriting the *saveline* buffer. Telnet will copy the line buffer to
the *saveline* array and then overwrite it in *makeargs* due to the
buffer overflow. When it tries to execute the command from *saveline*,
the memory address will be passed in as the program name.

   % perl -e 'print "!" . " A"x128' > test
   
   % cat test | telnet
   zsh:1: command not found: \M-ca
   telnet> telnet> ?Invalid command
   telnet> 

[1]: http://lcamtuf.coredump.cx/afl/

-- 
Best Regards,
Peter Kasza

http://www.itinsight.hu
address@hidden

()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Attachment: crashes.tgz
Description: GNU Unix tar archive


reply via email to

[Prev in Thread] Current Thread [Next in Thread]