Hi! I am helping maintaining GNU InetUtils which include 'telnet' and we found a problem that appears to exist in OpenBSD telnet too. Instead of us fixing something and causing further code differences, I'd like to collaborate so we understand the problem and the fix in th same way between these different forks. Could someone help me debug this and confirm whether my proposed patch seems like a good solution?
Steps to reproduce: 1) Download https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/telnet_term_0day.py 2) Modify 23 to 2323 in the code, so no root is required 3) Run it like this: gcc220$ python3 ./telnet_term_0day.py & gcc220$ telnet localhost 2323 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. [-] connected, corrupting client heap [-] done. merry haxmas. Segmentation fault (core dumped) gcc220$ The original security problem that this exploit was written for was probably (hopefully) fixed long time ago, but the crash remains and looks to me like a normal bug. Looking at the code, my take is that the call in telnet.c to ExitString in suboptions() is problematic, and differ from how all other similar errors are resolved in that function. My take on fixing this, is the patch below. It will result in the client simply looping printing this error as long as the malicious server keeps sending the bogus data, but ^] is operational and the client appears not to corrupt memory or crash any more. What do you think? It would be great if anyone with knowledge around this code could take a look. diff --git a/telnet/telnet.c b/telnet/telnet.c index a1633bbe..5ef7371f 100644 --- a/telnet/telnet.c +++ b/telnet/telnet.c @@ -873,9 +873,7 @@ suboption (void) printsub ('>', &temp[2], len - 2); } else - { - ExitString ("No room in buffer for terminal type.\n", 1); - } + printf ("lm_will: not enough room in buffer\n"); } break; case TELOPT_TSPEED:
signature.asc
Description: This is a digitally signed message part
