Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Debian netkit telnetd vulnerability

from [Solar Designer] Network Security [Permanent Link]
Subject: Re: Debian netkit telnetd vulnerability
Date: Tue, 21 Sep 2004 03:11:49 +0400 
On Sat, Sep 18, 2004 at 09:57:19PM +0200, Michal Zalewski wrote:

Exposure:

  Remote root compromise through buffer handling flaws


FWIW, some (two?) distributions have privsep'ed telnetd by now, where
the immediate impact of this flaw (if it were present there) would be
code execution as pseudo-user "telnetd" chrooted to /var/empty. (*)
This was first implemented by Chris Evans in 2000 and patches posted
on the security-audit mailing list.  My re-implementation of it in
Openwall GNU/*/Linux differs slightly:

        http://www.openwall.com/presentations/Owl/mgp00017.html
        http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/telnet/

(*) Of course, while not as bad as immediate root, this level of
access would still be quite nasty: it means ability to mount further
attacks off the system and ability to attack the system's own kernel
via syscall interfaces (possibly ultimately gaining root access, if a
suitable kernel bug is present, known to the attacker, and is
successfully exploited).

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Multiple Vulnerabilities In EmuLive Server4, GulfTech Security
Next by Date:  And More Advanced SQL Injection..., Stefano Di Paola
Previous by Thread:  [Full-Disclosure] Debian netkit telnetd vulnerability, Michal Zalewski
Next by Thread:  Re: Debian netkit telnetd vulnerability, Matt Zimmerman
Indexes:  [Date] [Thread] [Top] [All Lists]