3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
263 lines
8.9 KiB
Text
263 lines
8.9 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-01:49 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: telnetd contains remote buffer overflow
|
|
|
|
Category: core
|
|
Module: telnetd
|
|
Announced: 2001-07-23
|
|
Revised: 2001-07-27
|
|
Credits: Sebastian <scut@nb.in-berlin.de>
|
|
Affects: All releases of FreeBSD 3.x, 4.x prior to 4.4,
|
|
FreeBSD 4.3-STABLE prior to the correction date
|
|
Corrected: 2001-07-23
|
|
FreeBSD only: NO
|
|
|
|
0. Revision History
|
|
|
|
2001-07-23 v1.0 Initial release
|
|
2001-07-27 v1.1 Updated patch instructions, kerberosIV package
|
|
available, added reference to SSH in workarounds.
|
|
|
|
I. Background
|
|
|
|
telnetd is the server for the telnet remote virtual terminal protocol.
|
|
|
|
II. Problem Description
|
|
|
|
An overflowable buffer was found in the version of telnetd included
|
|
with FreeBSD. Due to incorrect bounds checking of data buffered for
|
|
output to the remote client, an attacker can cause the telnetd process
|
|
to overflow the buffer and crash, or execute arbitrary code as the
|
|
user running telnetd, usually root. A valid user account and password
|
|
is not required to exploit this vulnerability, only the ability to
|
|
connect to a telnetd server.
|
|
|
|
The telnetd service is enabled by default on all FreeBSD installations
|
|
if the 'high' security setting is not selected at install-time. This
|
|
vulnerability is known to be exploitable, and is being actively
|
|
exploited in the wild.
|
|
|
|
All released versions of FreeBSD prior to the correction date
|
|
including 3.5.1-RELEASE and 4.3-RELEASE are vulnerable to this
|
|
problem. It was corrected prior to the forthcoming release of
|
|
4.4-RELEASE.
|
|
|
|
III. Impact
|
|
|
|
Remote users can cause arbitrary code to be executed as the user
|
|
running telnetd, usually root.
|
|
|
|
IV. Workaround
|
|
|
|
1) Disable the telnet service, which is usually run out of inetd:
|
|
comment out the following lines in /etc/inetd.conf, if present.
|
|
|
|
telnet stream tcp nowait root /usr/libexec/telnetd telnetd
|
|
|
|
telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
|
|
|
|
and execute the following command as root:
|
|
|
|
# kill -HUP `cat /var/run/inetd.pid`
|
|
|
|
An alternative remote login protocol such as the SSH secure shell
|
|
protocol (which is installed by default in FreeBSD), can be used
|
|
instead. The SSH protocol is the recommended protocol for remote
|
|
logins to FreeBSD systems because of the superior authentication,
|
|
confidentiality and integrity protection it supplies relative to other
|
|
protocols such as telnet.
|
|
|
|
2) Impose access restrictions using TCP wrappers (/etc/hosts.allow),
|
|
or a network-level packet filter such as ipfw(8) or ipf(8) on the
|
|
perimeter firewall or the local machine, to limit access to the telnet
|
|
service to trusted machines.
|
|
|
|
V. Solution
|
|
|
|
One of the following:
|
|
|
|
1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the
|
|
RELENG_4_3 security branch after the respective correction dates.
|
|
|
|
2) FreeBSD 3.5.1, 4.x systems prior to the correction date:
|
|
|
|
There are two versions of the patch available, for systems with and
|
|
without the /usr/src/crypto/telnet sources. To determine whether your
|
|
system has the crypto-telnet sources installed, perform the following
|
|
command:
|
|
|
|
# ls /usr/src/crypto/telnet/telnetd
|
|
|
|
A response of
|
|
|
|
ls: /usr/src/crypto/telnet/telnetd: No such file or directory
|
|
|
|
indicates you do not have the crypto sources present and should
|
|
download the non-crypto-telnet patch: see section 2b) below.
|
|
|
|
These patches have been verified to apply to FreeBSD 4.2-RELEASE,
|
|
4.3-RELEASE and 3.5.1-STABLE dated prior to 2001-07-20 (users of
|
|
3.5.1-RELEASE must have applied the patches from FreeBSD Security
|
|
Advisory 00:69 prior to applying this patch). These patches may or
|
|
may not apply to older, unsupported releases of FreeBSD.
|
|
|
|
2a) For systems with the crypto-telnet sources installed
|
|
|
|
Under FreeBSD 4.x, the crypto-telnet client can be built in two
|
|
versions: with or without support for the KerberosIV authentication
|
|
system. Under FreeBSD 3.x there is only one way to build the
|
|
crypto-telnet client: with KerberosIV support.
|
|
|
|
To determine whether your system has the kerberosIV distribution
|
|
installed, perform the following command:
|
|
|
|
# ls /usr/lib/libkrb.a
|
|
|
|
Possible responses:
|
|
|
|
/usr/lib/libkrb.a # This response indicates you have kerberosIV present
|
|
|
|
ls: /usr/lib/libkrb.a: No such file or directory
|
|
# This reponse indicates you do not have
|
|
# kerberosIV present
|
|
|
|
Download the patch and the detached PGP signature from the following
|
|
locations, and verify the signature using your PGP utility.
|
|
|
|
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch
|
|
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch.asc
|
|
|
|
2aa) For systems with the crypto-telnet sources installed but without
|
|
KerberosIV installed
|
|
|
|
[FreeBSD 4.x systems]
|
|
|
|
# cd /usr/src/
|
|
# patch -p < /path/to/patch
|
|
# cd /usr/src/secure/lib/libtelnet
|
|
# make depend && make all
|
|
# cd /usr/src/secure/libexec/telnetd
|
|
# make depend && make all install
|
|
|
|
[FreeBSD 3.x systems]
|
|
|
|
# cd /usr/src/
|
|
# patch -p < /path/to/patch
|
|
# cd /usr/src/lib/libtelnet
|
|
# make depend && make all
|
|
# cd /usr/src/libexec/telnetd
|
|
# make depend && make all install
|
|
|
|
2ab) For systems with the crypto-telnet sources installed and with
|
|
KerberosIV installed
|
|
|
|
# cd /usr/src/
|
|
# patch -p < /path/to/patch
|
|
# cd /usr/src/kerberosIV/lib/libtelnet
|
|
# make depend && make all
|
|
# cd /usr/src/kerberosIV/libexec/telnetd
|
|
# make depend && make all install
|
|
|
|
2b) For systems without the crypto-telnet sources installed
|
|
|
|
Download the patch and the detached PGP signature from the following
|
|
locations, and verify the signature using your PGP utility.
|
|
|
|
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch
|
|
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch.asc
|
|
|
|
# cd /usr/src/
|
|
# patch -p < /path/to/patch
|
|
# cd /usr/src/lib/libtelnet
|
|
# make depend && make all
|
|
# cd /usr/src/libexec/telnetd
|
|
# make depend && make all install
|
|
|
|
3) FreeBSD 4.3-RELEASE systems:
|
|
|
|
An experimental upgrade package is available for users who wish to
|
|
provide testing and feedback on the binary upgrade process. This
|
|
package may be installed on FreeBSD 4.3-RELEASE systems only, and is
|
|
intended for use on systems for which source patching is not practical
|
|
or convenient.
|
|
|
|
If you use the upgrade package, feedback (positive or negative) to
|
|
security-officer@FreeBSD.org is requested so we can improve the
|
|
process for future advisories.
|
|
|
|
During the installation procedure, backup copies are made of the files
|
|
which are replaced by the package. These backup copies will be
|
|
reinstalled if the package is removed, reverting the system to a
|
|
pre-patched state.
|
|
|
|
Three versions of the upgrade package are available, depending on
|
|
whether or not the system has the crypto or kerberosIV distributions
|
|
installed.
|
|
|
|
To determine whether your system has the crypto distribution
|
|
installed, perform the following command:
|
|
|
|
# ls /usr/bin/openssl
|
|
|
|
Possible responses:
|
|
|
|
/usr/bin/openssl # This response indicates you have crypto present
|
|
|
|
ls: /usr/bin/openssl: No such file or directory
|
|
# This reponse indicates you do not have
|
|
# crypto present
|
|
|
|
To determine whether your system has the kerberosIV distribution
|
|
installed, perform the following command:
|
|
|
|
# ls /usr/lib/libkrb.a
|
|
|
|
Possible responses:
|
|
|
|
/usr/lib/libkrb.a # This response indicates you have kerberosIV present
|
|
|
|
ls: /usr/lib/libkrb.a: No such file or directory
|
|
# This reponse indicates you do not have
|
|
# kerberosIV present
|
|
|
|
3a) If crypto is present
|
|
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-crypto-01.49.tgz
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-crypto-01.49.tgz.asc
|
|
|
|
Verify the detached PGP signature using your PGP utility.
|
|
|
|
# pkg_add security-patch-telnetd-crypto-01.49.tgz
|
|
|
|
3b) If kerberosIV is present
|
|
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-kerberosIV-01.49.tgz
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-kerberosIV-01.49.tgz.asc
|
|
|
|
Verify the detached PGP signature using your PGP utility.
|
|
|
|
# pkg_add security-patch-telnetd-kerberosIV-01.49.tgz
|
|
|
|
3c) If neither crypto nor kerberosIV are present
|
|
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-01.49.tgz
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-01.49.tgz.asc
|
|
|
|
Verify the detached PGP signature using your PGP utility.
|
|
|
|
# pkg_add security-patch-telnetd-01.49.tgz
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.0.6 (FreeBSD)
|
|
Comment: For info see http://www.gnupg.org
|
|
|
|
iQCVAwUBO2HHK1UuHi5z0oilAQH9dwP/eupJuy60kLzGcJx5JVfDHyv0IoNvnMX2
|
|
OsQw4+PwcvVv3r2nQn8FAiGa5WYlG+9Ft/s9XWuCUtWt35EiCmdo9I/72vuOasHN
|
|
goiu+i+ncJeAp2BrgXerilHqBQnVnMI+QQrmKBiyhUPA3xR+t6JxRfk2DaCYSuvx
|
|
tEQXDNB7wxU=
|
|
=3OFg
|
|
-----END PGP SIGNATURE-----
|