HEADS UP: telnetd exploit in the wild, advisory coming soon
FreeBSD Security Officer
cperciva at freebsd.org
Sun Feb 15 06:56:02 PST 2009
Hi all,
A semi-remote root exploit for telnetd was posted to the full-disclosure list
yesterday:
http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html
Because the FreeBSD security team didn't get any advance notice of this, we're
still investigating and don't have an official advisory or patches ready yet;
we're working on it.
Some basic information from our investigation so far, subject to change as we
investigate further:
* this affects telnetd in FreeBSD 7.0-RELEASE, 7.1-RELEASE, 7-STABLE, and 8-CURRENT.
* telnetd is disabled by default; if it is enabled, this is normally done via
inetd(8).
* dragonflybsd is vulnerable to this exploit, but for a completely different
reason. Don't try to use their patch -- it won't work.
* in order to exploit this, an attacker needs to put a file somewhere on the
vulnerable system with a known path. For an attacker who already has non-root
access, this is obviously trivial; for an attacker without an account it may
be possible to do this by sending an email to a user on the system, exploiting
a CGI script, uploading a file via anonymous FTP, etc.
I strongly recommend disabling telnetd on all FreeBSD 7.x and 8.x systems.
Check that telnetd isn't running (`ps ax | grep telnetd | grep -v grep` should
return nothing) and that it isn't enabled in inetd.conf (`grep telnetd
/etc/inetd.conf | grep -v ^#` should return nothing). If you absolutely must
run telnetd, use a firewall to restrict access to people whom you trust with
root access.
--
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
More information about the freebsd-security
mailing list