lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue Jun  7 23:10:58 2005
From: khermans at cisco.com (Kristian Hermansen)
Subject: Microsoft Windows and *nix Telnet Port Number
	Argument Obfuscation

I. BACKGROUND

Telnet is a standard networking tool available on almost every computing
platform that participates on a network.

II. DESCRIPTION

The second argument to the telnet executable, the port number, does not
need to conform to the standard available port conventions (ie.
0-65535).  It is actually possible to specify a port number very far out
of the effective range, and still be able to connect to the "wrapped"
port value.  On Windows, it is even possible to specify negative port
values.  Following is a short demonstration:

C:\>telnet localhost 65535999999999934485
220 localhost Microsoft FTP Service (Version 5.0).

C:\>telnet localhost -6553403371
220 localhost Microsoft FTP Service (Version 5.0).

You can create your own "wrapping" values by picking large numbers that
have a remainder of your specified port when modded with 65536.  For
instance, in the example above:

65535999999999934485 % 65536 = 21

III. ANALYSIS

This is not a vulnerability at all, but could prove quite useful when
trying to obfuscate an admin's log of executed shell commands.  For
instance, an unknowing admin looking at the arguments to telnet in this
example would be very confused.  Other than this, there is no security
risk and the result is just interesting.

IV. DETECTION

I have confirmed that this will work on Microsoft Windows 2000 Server
SP4, Microsoft Windows Advanced Server SP0, Red Hat Linux Enterprise
Server 3.0, SuSE Professional 9.0, and Sun Solaris 8.

V. CREDIT

Discovered by Kristian Hermansen.
-- 
Kristian Hermansen <khermans@...co.com>
Cisco Systems, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ