lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040920231149.GA1565@openwall.com>
Date: Tue, 21 Sep 2004 03:11:49 +0400
From: Solar Designer <solar@...nwall.com>
To: Michal Zalewski <lcamtuf@...ttot.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Debian netkit telnetd vulnerability


On Sat, Sep 18, 2004 at 09:57:19PM +0200, Michal Zalewski wrote:
> Exposure:
> 
>   Remote root compromise through buffer handling flaws

FWIW, some (two?) distributions have privsep'ed telnetd by now, where
the immediate impact of this flaw (if it were present there) would be
code execution as pseudo-user "telnetd" chrooted to /var/empty. (*)
This was first implemented by Chris Evans in 2000 and patches posted
on the security-audit mailing list.  My re-implementation of it in
Openwall GNU/*/Linux differs slightly:

	http://www.openwall.com/presentations/Owl/mgp00017.html
	http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/telnet/

(*) Of course, while not as bad as immediate root, this level of
access would still be quite nasty: it means ability to mount further
attacks off the system and ability to attack the system's own kernel
via syscall interfaces (possibly ultimately gaining root access, if a
suitable kernel bug is present, known to the attacker, and is
successfully exploited).

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ