On Wed, Jul 20, 2005 at 03:32:51PM -0400, Bilal Nasrallah wrote:
I've run a scan on one of our devices and the report highlighted a
security hole in the telnet server (TCP port 23). It reported the
following:
"The Telnet server does not return an expected number of replies when it
receives a long sequence of 'Are You There' commands. This probably
means it overflows one of its internal buffers and crashes. It is likely
an attacker could abuse this bug to gain control over the remote host's
super user."
However, the box didn't crash! Is it still a high vulnerability?
As Josh alluded to, the flaw itself doesn't cause the host to crash,
only the telnetd daemon. And if you're invoking that via inetd or
xinetd, you won't necessarily notice a crash by trying to telnet to the
box yourself.
To investigate this, examine any system logs on the target around the
time you ran the scans. [You are using ntpd, right?] Are there any odd
entries involving something like telnetd/in.telnetd?
Also, you may want to uncomment the calls to display() in the plugin
(teso_telnet.nasl) and look in nessusd.dump after you run another scan.
[Btw, the lines should start with "display(", not "DEBUG display".]
Another possibility is to determine exactly which telnet daemon is
installed on the target and ask the vendor. The issue is an old one so I
would expect any vendor worth his/her salt to have identified the issue
if it does exist by now.
George
--
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
