Headline
CVE-2022-39028: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (de
telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a “telnet/tcp server failing (looping), service terminated” error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
Erik Auerswald
Subject:
[BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV)
Date:
Sat, 27 Aug 2022 19:37:15 +0200
User-agent:
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Hi all,
someone has described a remote DoS vulnerability in many telnetd implementations that I just happened to stumble over:
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
The vulnerability is a NULL pointer dereference when reading either of two two byte sequences:
1: 0xff 0xf7
2: 0xff 0xf8
The blog shows GNU Inetutils’ telnetd as vulnerable:
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-inetutils
The blog post analyzes the issue as using a table before this table has been initialized:
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-root-cause-analysis
They show a patch against the FreeBSD 13.1 version of telnetd to fix the two code paths, i.e., check for NULL and don’t dereference a NULL pointer. Since that might omit setting a variable before its use, they add an initialization for said variable.
The FreeBSD patch works on different lines than need to be changed in GNU Inetutils’ telnetd, so it cannot apply as is.
In GNU Inetutils, the code lines to dereference table entries without first checking for NULL are in lines 321 and 323 of file "telnetd/state.c". The variable “ch” declared in line 315 of this file needs to be initialized to "(cc_t) (_POSIX_VDISABLE)", because it may not be assigned any value if the table is not yet initialized.
References:
line 315: https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n315 line 321: https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n321 line 323: https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n323
I have attached a completely untested, not even compile tested, patch to do this (just the code changes, no NEWS or commit log or anything). Please test before committing.
They write that they do not intend to contact the maintainers:
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#full-disclosure
Thus this email.
Thanks, Erik
inetutils-telnetd-EC_EL_null_deref.patch
Description: Text Data
[BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV), Erik Auerswald <=
- Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV), Erik Auerswald, 2022/08/28
Prev by Date: Re: [PATCH 3/3] telnet: Avoid command evaluation crashes.
Next by Date: Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV)
Previous by thread: Re: [PATCH 3/3] telnet: Avoid command evaluation crashes.
Next by thread: Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV)
Index(es):
- Date
- Thread
Related news
Ubuntu Security Notice 6304-1 - It was discovered that telnetd in GNU Inetutils incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS It was discovered that Inetutils incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information, or execute arbitrary code.