CVE-2022-39028: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (de

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From:

Erik Auerswald

Subject:

[BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV)

Date:

Sat, 27 Aug 2022 19:37:15 +0200

User-agent:

Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0

Hi all,

someone has described a remote DoS vulnerability in many telnetd implementations that I just happened to stumble over:

https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html

The vulnerability is a NULL pointer dereference when reading either of two two byte sequences:

1: 0xff 0xf7
2: 0xff 0xf8

The blog shows GNU Inetutils’ telnetd as vulnerable:

https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-inetutils

The blog post analyzes the issue as using a table before this table has been initialized:

https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-root-cause-analysis

They show a patch against the FreeBSD 13.1 version of telnetd to fix the two code paths, i.e., check for NULL and don’t dereference a NULL pointer. Since that might omit setting a variable before its use, they add an initialization for said variable.

The FreeBSD patch works on different lines than need to be changed in GNU Inetutils’ telnetd, so it cannot apply as is.

In GNU Inetutils, the code lines to dereference table entries without first checking for NULL are in lines 321 and 323 of file "telnetd/state.c". The variable “ch” declared in line 315 of this file needs to be initialized to "(cc_t) (_POSIX_VDISABLE)", because it may not be assigned any value if the table is not yet initialized.

References:

line 315: https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n315 line 321: https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n321 line 323: https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n323

I have attached a completely untested, not even compile tested, patch to do this (just the code changes, no NEWS or commit log or anything). Please test before committing.

They write that they do not intend to contact the maintainers:

https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#full-disclosure

Thus this email.

Thanks, Erik

inetutils-telnetd-EC_EL_null_deref.patch
Description: Text Data

• [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV), Erik Auerswald <=

  • Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV), Erik Auerswald, 2022/08/28

• Prev by Date: Re: [PATCH 3/3] telnet: Avoid command evaluation crashes.

• Next by Date: Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV)

• Previous by thread: Re: [PATCH 3/3] telnet: Avoid command evaluation crashes.

• Next by thread: Re: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer —> SEGV)

• Index(es):

  • Date
  • Thread