Adiel Sol <[email protected]> writes: > Hi Guillem, Simon, Colin, > > Thank you for your reply and for clarifying how things work. > I will write the security advisory in the next few days and send it to > you. I will also start the CVE process on our side, and once we have a > CVE assigned I will share the CVE number with you.
Wonderful! Thank you for careful reviewing code and looking at InetUtils, and I hope you will continue to study the code. /Simon > Best regards, > Adiel Sol > DREAM Security Research Team > > > ________________________________________ > From: Simon Josefsson > Sent: Thursday, March 12, 2026 2:53 PM > To: Adiel Sol > Cc: Collin Funk; [email protected] > Subject: Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd > (LINEMODE SLC) > > Adiel Sol <[email protected]> writes: > >> Hi Collin, >> Thank you for confirming the findings and for the pull request and the >> credit in the NEWS file; we really appreciate it. >> A couple of questions about disclosure: >> >> 1. Are you planning to request a CVE for this issue (e.g. through >> the GNU project or another CNA), or would you prefer that we request >> it from our side? > > GNU is not a CNA, so please assign a CVE if you can do this. We can > include it in the NEWS entry. > >> 2. >> Do you have a rough timeline for when the fix will be released >> (e.g. next release or patch branch), and when you expect to publish >> the CVE or security advisory? > > Adiel or Colin, do you want to write a security advisory? Maybe use the > following for inspiration: > > https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html > > I think we have worked up to a new release, so let's plan that for no > later than April 1st. > >> 3. >> What is your preferred process from here until public disclosure >> (e.g. embargo period, coordinated advisory, or anything we should >> avoid doing until a certain date)? > > The bug-inetutils is a public list, so this is already public. I'm not > aware of any need to do anything further except make the release, and if > someone has time, also write an advisory about this. > > /Simon > >> We are happy to align with your process and timeline. >> Best regards, >> Adiel Sol >> DREAM Security Research Team >> >> >> >> >> ________________________________ >> From: Collin Funk <[email protected]> >> Sent: Thursday, March 12, 2026 9:49 AM >> To: Adiel Sol <[email protected]> >> Cc: [email protected] <[email protected]> >> Subject: Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd >> (LINEMODE SLC) >> >> [You don't often get email from [email protected]. Learn why this >> is important at https://aka.ms/LearnAboutSenderIdentification ] >> >> Adiel Sol <[email protected]> writes: >> >>> Proof of Concept >>> >>> 1. Start GNU Inetutils telnetd (e.g. with inetd or run telnetd >>> manually) so it listens on port 23. >>> 2. From another machine, connect to the telnet port and complete the >>> initial handshake. When the server sends DO LINEMODE, reply with >>> WILL LINEMODE so the server enters LINEMODE negotiation. >>> 3. Send a single LINEMODE SLC suboption containing at least 40 to 50 >>> triplets, each with a function code greater than 18 (e.g. 19, 20, 21, >>> ... 68). Each triplet is 3 bytes (func, flag, value). Use 0x00 for >>> flag and value. The suboption must be properly framed with IAC SB >>> LINEMODE LM_SLC at the start and IAC SE at the end. >>> 4. The server will call add_slc() for each triplet. After about 35 >>> triplets it will write past the end of slcbuf. You should observe a >>> crash, or (if you craft the overflow) memory corruption and possibly >>> code execution. >> >> Thank you for the detailed analysis and reproduction steps. I confirm >> your findings. >> >>> Credit Request >>> >>> We kindly request that the following researchers be credited for >>> this discovery: >>> Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel >>> Lubel - DREAM Security Research Team >>> Best regards, >>> DREAM Security Research Team >> >> I submitted a pull request just now [1], and mentioned you all in the >> NEWS file. >> >> Collin >> >> [1] https://codeberg.org/inetutils/inetutils/pulls/17/files >>
signature.asc
Description: PGP signature
