[Bug 270263] telnet buffer overflow if server sends long TELQUAL_NAME for sra

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 16 Mar 2023 10:35:24 UTC

            Bug ID: 270263
           Summary: telnet buffer overflow if server sends long
                    TELQUAL_NAME for sra
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #240895 text/plain
         mime type:

Created attachment 240895
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=240895&action=edit
telnet server that overflows telnet's uprompt[] in sra_reply()

telnet's auth_name() allows the name in TELQUAL_NAME to be up to 255
bytes long:

  auth_name(unsigned char *data, int cnt)
    unsigned char savename[256];
    if ((size_t)cnt > sizeof(savename) - 1) {

auth_encrypt_user() copies the name to UserNameRequested.

But sra_reply() says:

        char uprompt[256],tuser[256];
        sprintf(uprompt,"User (%s): ",UserNameRequested);

uprompt[] isn't guaranteed to be big enough, so sprintf can overflow uprompt[].

I've attached a demo telnet server. You may have to re-compile libtelnet
and telnet with -fsanitize=address to reliably see a problem:

# cc telnet17d.c
# ./a.out

And in another window:

# telnet localhost
Connected to localhost.
Escape character is '^]'.
==34863==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffdfa0 at pc 0x0000010a77e3 bp 0x7fffffffcfe0 sp 0x7fffffffc7a8
WRITE of size 252 at 0x7fffffffdfa0 thread T0
    #0 0x10a77e2 in memcpy
    #1 0x80173809d in __sfvwrite /usr/src/lib/libc/stdio/fvwrite.c:132:6
    #2 0x801740c5b in __sprint /usr/src/lib/libc/stdio/vfprintf.c:166:8
    #3 0x801740c5b in io_flush /usr/src/lib/libc/stdio/printfcommon.h:157:10
    #4 0x801740c5b in __vfprintf /usr/src/lib/libc/stdio/vfprintf.c:1033:3
    #5 0x80174910d in vsprintf_l /usr/src/lib/libc/stdio/vsprintf.c:62:8
    #6 0x80174910d in vsprintf /usr/src/lib/libc/stdio/vsprintf.c:69:9
    #7 0x10aeac2 in vsprintf
    #8 0x10af2c6 in sprintf
    #9 0x1150c70 in sra_reply /usr/src/contrib/telnet/libtelnet/sra.c:273:3
    #10 0x113ed83 in suboption /usr/src/contrib/telnet/telnet/telnet.c:944:4
    #11 0x113d521 in telrcv /usr/src/contrib/telnet/telnet/telnet.c:1874:7
    #12 0x113fc5e in Scheduler /usr/src/contrib/telnet/telnet/telnet.c:2098:17
    #13 0x113f2d9 in telnet /usr/src/contrib/telnet/telnet/telnet.c:2163:6
    #14 0x112c65a in tn /usr/src/contrib/telnet/telnet/commands.c:2497:5
    #15 0x113448a in main /usr/src/contrib/telnet/telnet/main.c:374:7

Address 0x7fffffffdfa0 is located in stack of thread T0 at offset 288 in frame
    #0 0x11508ef in sra_reply /usr/src/contrib/telnet/libtelnet/sra.c:247

  This frame has 3 object(s):
    [32, 288) 'uprompt' (line 248)
    [352, 608) 'tuser' (line 248) <== Memory access at offset 288 partially
underflows this variable
    [672, 688) 'skey' (line 249)

You are receiving this mail because:
You are the assignee for the bug.