Adiel Sol <[email protected]> writes: > Proof of Concept > > 1. Start GNU Inetutils telnetd (e.g. with inetd or run telnetd manually) so > it listens on port 23. > 2. From another machine, connect to the telnet port and complete the initial > handshake. When the server sends DO LINEMODE, reply with WILL LINEMODE so the > server enters LINEMODE negotiation. > 3. Send a single LINEMODE SLC suboption containing at least 40 to 50 > triplets, each with a function code greater than 18 (e.g. 19, 20, 21, > ... 68). Each triplet is 3 bytes (func, flag, value). Use 0x00 for > flag and value. The suboption must be properly framed with IAC SB > LINEMODE LM_SLC at the start and IAC SE at the end. > 4. The server will call add_slc() for each triplet. After about 35 triplets > it will write past the end of slcbuf. You should observe a crash, or (if you > craft the overflow) memory corruption and possibly code execution.
Thank you for the detailed analysis and reproduction steps. I confirm your findings. > Credit Request > > We kindly request that the following researchers be credited for this > discovery: > Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel - > DREAM Security Research Team > Best regards, > DREAM Security Research Team I submitted a pull request just now [1], and mentioned you all in the NEWS file. Collin [1] https://codeberg.org/inetutils/inetutils/pulls/17/files
