iDEFENSE Security Advisory - SSLTelnet Remote Format String
Vulnerability
vendor-disclosure
vendor-disclosure at idefense.com
Wed Jun 30 16:06:18 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE has identified a format string vulnerability in SSLTelnet. This
vulnerability was submitted to iDEFENSE through our Vulnerability
Contributor Program (http://www.idefense.com/poi/teams/vcp.jsp).
iDEFENSE Labs has validated this vulnerability and has drafted the
attached advisory. In accordance with our vendor disclosure policy
(http://www.idefense.com/legal_disclosure.jsp) we would request that you
acknowledge receipt of this initial notification within five business
days so that we may begin the process of coordinating an appropriate
public disclosure date for this issue that will provide your company
with adequate time to develop a patch or workaround to mitigate this
vulnerability. If you have questions regarding this issue or require
further details to assist with your own analysis, please do not hesitate
to contact us.
Regards,
Michael Sutton
Michael Sutton, CA, CISA
Director, iDEFENSE Labs
iDEFENSE
1875 Campus Commons Drive, Suite 210
Reston, VA 20191
direct: 703.480.5628
voice: 703.390.1230
fax: 703.390.9456
msutton at idefense.com
www.idefense.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQONHSm47Oh6MSHwZEQKc/wCfYuub2hbayeupHxbzWkzp5YAn3T8An1sn
Sf+6hosiyO4+Gm7aJlwgfdEh
=Fbtv
-----END PGP SIGNATURE-----
-------------- next part --------------
SSLTelnet Remote Format String Vulnerability
iDEFENSE Security Advisory 06.24.04
www.idefense.com/application/poi/display?<insert args here>
June 24, 2004
I. BACKGROUND
SSLtelnetd is a replacement for telnetd available as part of the FreeBSD
ports collection at http://www.freebsd.org/ports/security.html. It
implements the telnet protocol over SSL as the name suggests.
II. DESCRIPTION
SSLtelnet contains a format string vulnerability that could allow remote
code execution.
On line 530 of telnetd.c the syslog() function incorrectly used,
resulting in a format strings vulnerability.
SSL_set_verify(ssl_con,ssl_verify_flag,NULL);
if (SSL_accept(ssl_con) <= 0) {
static char errbuf[1024];
sprintf(errbuf,"SSL_accept error %s\n",
ERR_error_string(ERR_get_error(),NULL));
syslog(LOG_WARNING, errbuf); // vulnerable call
BIO_printf(bio_err,errbuf);
/* go to sleep to make sure we are noticed */
sleep(10);
SSL_free(ssl_con);
_exit(1);
} else {
ssl_active_flag=1;
}
}
III. ANALYSIS
This vulnerability could be remotely exploitable under certain
conditions. If exploitation is successful, gaining root access is
possible as the process runs as root.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability against
SSLTelnet the current SSLTelnet version, 0.13-1.
V. WORKAROUND
iDEFENSE is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE
TBD
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
04/03/2003 Vulnerability acquired by iDEFENSE
06/29/2004 Initial vendor notification
IX. CREDIT
An anonymous source is credited with this discovery.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Copyright ? 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice at idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
More information about the freebsd-ports
mailing list