Summary of responses on this thread:
From: Homer Wilson Smith <[EMAIL PROTECTED]>
Inconsistent results on Linux 2.0.38 running older libc.
Script started on Wed Jul 25 16:10:02 2001
superoot emerald/root: ayt romance
Telnetd AYT overflow scanner, by Security Point(R)
Host: romance
Connected to remote host...
Sending telnet options... stand by...
Telnetd on romance vulnerable
superoot emerald/root: ayt romance
Telnetd AYT overflow scanner, by Security Point(R)
Host: romance
Connected to remote host...
Sending telnet options... stand by...
Telnetd on romance not vulnerable
From: Rick Crelia <[EMAIL PROTECTED]>
I can corroraborate your findings. The SPtelnetAYT scanner is producing
"hits" on Linux boxes (2.0.x, 2.2.x, variety of Netkits) whereas the
scut scanner said they were not vulnerable. This was also the case for
Solaris 7 and Solaris 8 boxes with the latest Sun patch clusters.
As of today, it looks like OpenBSD 2.9 and the latest Netkit for Linux
are known to be not vulnerable.
From: "Chirk C. Chu" <[EMAIL PROTECTED]>
Based on the results from the Telnet AYT scanner provided by
[EMAIL PROTECTED] SRP telnetd is vulnerable. Versions tested:
1.7.1, 1.7.2 and 1.7.3.
Red Hat 7.1 - SRP 1.7.3
$ ./ttest kingpinz
Telnetd AYT overflow scanner, by Security Point(R)
Host: kingpinz
Connected to remote host...
Sending telnet options... stand by...
Telnetd on kingpinz vulnerable
Solaris 8 - SRP 1.7.2
$ ./ttest snoopy
Telnetd AYT overflow scanner, by Security Point(R)
Host: snoopy
Connected to remote host...
Sending telnet options... stand by...
Telnetd on snoopy vulnerable
Tru64 4.0G - SRP 1.7.1
$ ./ttest chaos
Telnetd AYT overflow scanner, by Security Point(R)
Host: chaos
Connected to remote host...
Sending telnet options... stand by...
Telnetd on chaos vulnerable
From: Serguei Patchkovskii <[EMAIL PROTECTED]>
Unfortunately, this scanner generates false negatives. It reports
Tru64 4.0d pl8 as not vulnerable. However, it causes telnetd on
this system to dump core - which would presumably indicate that
it -is- vulnerable.
From: GVB <[EMAIL PROTECTED]>
Juniper Routers (running something based on one of the BSD's) are also
vulnerable to this telnetd attack.
From: bow <[EMAIL PROTECTED]>
I tested this on a FreeBSD 3.4-RELEASE box and it responded "not
vulnerable". However, the telnetd daemon did signal 11 and core. Hmmm.
Also I tested it on SCO 3.2 and "SCO OpenServer(TM) Release 5". They both
returned "vulnerable".
From: tasos <[EMAIL PROTECTED]>
Slackware 8 according to the scanner is vulnverable but the exploit
doesn't work. Slackware 8 uses linux netkit 0.17 which is not affected.
Testing the scanner on a win2k w/ SP2 it crashed the telnetd. Couldn't
run the exploit against the server.
From: "Leandro Quibem Magnabosco" <[EMAIL PROTECTED]>
I've tested on Redhat 7.1 and it is vulnerable.
Telnetd AYT overflow scanner, by Security Point(R)
Host: 200.135.30.1
Connected to remote host...
Sending telnet options... stand by...
Telnetd on 200.135.30.1 vulnerable
Fortunatedly, I'm not using telnet on this server, so... I've disabled it.
From: "Willem" <[EMAIL PROTECTED]>
I ran the scanner aginst a slack 7.1 and a 8.0 box to see what would
happen and it said it was vulernable. If it really is or not i dunno.
From: "Tom Stowell" <[EMAIL PROTECTED]>
XCONSOLE (actually, TELNETD.NLM) for NetWare 5.1 SP2a appears to be
vulnerable, although I didn't observe any direct or indirect effects of
the overflow (i.e.:the service continued responding to requests normally,
and no error messages were printed to the server console or the logs).
From: Jonas Eriksson <[EMAIL PROTECTED]>
I can confirm that the following Nokia IPSO releases are not vulnerable
to the telnetd bug:
* IPSO-3.2.1-fcs1-11.24.1999-102644-849
* IPSO-3.3-FCS3-09.14.2000-234849-567
* IPSO-3.4-FCS4A-06.26.2001-235900-767
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
