[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : telnetd allows remote system resource consumption

Title: telnetd allows remote system resource consumption
Released by: FreeBSD
Date: 14th November 2000
Printable version: Click here


FreeBSD-SA-00:69                                           Security Advisory

                                                                FreeBSD, Inc.

Topic:          telnetd allows remote system resource consumption.

Category:       core

Module:         telnetd

Announced:      2000-11-14

Credits:        Jouko Pynnonen 

Affects:        FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior

                to 4.2), FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior

                to the correction date.

Corrected:      2000-10-30 (FreeBSD 4.1.1-STABLE)

                2000-11-01 (FreeBSD 3.5.1-STABLE)

FreeBSD only:   NO

I.   Background

telnetd is the server for the telnet remote login protocol.

II.  Problem Description

The telnet protocol allows for UNIX environment variables to be passed

from the client to the user login session on the server.  However, some

of these environment variables have special meaning to the telnetd

child process itself and may be used to affect its operation.

Of particular relevance is the ability for remote users to cause an

arbitrary file on the system to be searched for termcap data by

passing the TERMCAP environment variable.  Although any file on the

local system can be read since the telnetd server runs as root, the

contents of the file will not be reported in any way to the remote

user unless it contains a valid termcap entry, in which case the

corresponding termcap sequences will be used to format the output sent

to the client.  It is believed there is no risk of data disclosure

through this vulnerability.

However, an attacker who forces the server to search through a large

file or to read from a device can cause resources to be spent by the

server, including CPU cycles and disk read bandwidth, which can

increase the server load and may prevent it from servicing legitimate

user requests.  Since the vulnerability occurs before the login(1)

utility is spawned, it does not require authentication to a valid

account on the server in order to exploit.

All released versions of FreeBSD prior to the correction date

including 4.0, 4.1, 4.1.1 and 3.5.1 are vulnerable to this problem,

but it was fixed in the 4.1.1-STABLE branch prior to the release of


III. Impact

Remote users without a valid login account on the server can cause

resources such as CPU and disk read bandwidth to be consumed, causing

increased server load and possibly denying service to legitimate


IV.  Workaround

1) Disable the telnet service, which is usually run out of inetd:

comment out the following lines in /etc/inetd.conf, if present.

telnet  stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd

telnet  stream  tcp6    nowait  root    /usr/libexec/telnetd    telnetd

2) Impose access restrictions using TCP wrappers (/etc/hosts.allow),

or a network-level packet filter such as ipfw(8) or ipf(8) on the

perimeter firewall or the local machine, to limit access to the telnet

service to trusted machines.

V.   Solution

One of the following:

1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or

3.5.1-STABLE after the respective correction dates.

2) Apply the patch below and recompile the relevant files:

Either save this advisory to a file, or download the patch and

detached PGP signature from the following locations, and verify the

signature using your PGP utility.



Execute the following commands as root:

# cd /usr/src/libexec/telnetd

# patch -p < /path/to/patch_or_advisory

# make depend && make all install

Patch for vulnerable systems:

    Index: sys_term.c


    RCS file: /mnt/ncvs/src/libexec/telnetd/sys_term.c,v

    retrieving revision 1.24

    retrieving revision 1.25

    diff -u -r1.24 -r1.25

    --- sys_term.c 1999/08/28 00:10:24 1.24

    +++ sys_term.c 2000/10/31 05:29:54 1.25

    @@ -1799,6 +1799,13 @@

         strncmp(*cpp, "_RLD_", 5) &&

         strncmp(*cpp, "LIBPATH=", 8) &&


    +     strncmp(*cpp, "LOCALDOMAIN=", 12) &&

    +     strncmp(*cpp, "RES_OPTIONS=", 12) &&

    +     strncmp(*cpp, "TERMINFO=", 9) &&

    +     strncmp(*cpp, "TERMINFO_DIRS=", 14) &&

    +     strncmp(*cpp, "TERMPATH=", 9) &&

    +     strncmp(*cpp, "TERMCAP=/", 9) &&

    +     strncmp(*cpp, "ENV=", 4) &&

         strncmp(*cpp, "IFS=", 4))

     *cpp2++ = *cpp;


    Index: telnetd.c


    RCS file: /mnt/ncvs/src/libexec/telnetd/telnetd.c,v

    retrieving revision 1.22

    retrieving revision 1.23

    diff -u -r1.22 -r1.23

    --- telnetd.c 2000/01/25 14:52:00 1.22

    +++ telnetd.c 2000/10/31 05:29:54 1.23

    @@ -811,7 +811,7 @@

     fatal(net, "Out of ptys");

     if ((pty = open(lp, 2)) >= 0) {

    - strcpy(line,lp);

    + strlcpy(line,lp,sizeof(line));

     line[5] = 't';



    @@ -1115,7 +1115,7 @@

     IM = Getstr("im", &cp);

     IF = Getstr("if", &cp);

     if (HN && *HN)

    - (void) strcpy(host_name, HN);

    + (void) strlcpy(host_name, HN, sizeof(host_name));

     if (IF && (if_fd = open(IF, O_RDONLY, 000)) != -1)

     IM = 0;

     if (IM == 0)

    Index: utility.c


    RCS file: /mnt/ncvs/src/libexec/telnetd/utility.c,v

    retrieving revision 1.13

    retrieving revision 1.14

    diff -u -r1.13 -r1.14

    --- utility.c 1999/08/28 00:10:25 1.13

    +++ utility.c 2000/10/31 05:29:54 1.14

    @@ -330,7 +330,7 @@


     char buf[BUFSIZ];

    - (void) sprintf(buf, "telnetd: %s.\r\n", msg);

    + (void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);

     (void) write(f, buf, (int)strlen(buf));

     sleep(1); /*XXX*/


    @@ -343,7 +343,7 @@


     char buf[BUFSIZ], *strerror();

    - (void) sprintf(buf, "%s: %s", msg, strerror(errno));

    + (void) snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));

     fatal(f, buf);



Version: GnuPG v1.0.4 (FreeBSD)

Comment: For info see http://www.gnupg.org







(C) 1999-2000 All rights reserved.