[Bug 270263] telnet buffer overflow if server sends long TELQUAL_NAME for sra
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 16 Mar 2023 10:35:24 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270263
Bug ID: 270263
Summary: telnet buffer overflow if server sends long
TELQUAL_NAME for sra
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Attachment #240895 text/plain
mime type:
Created attachment 240895
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=240895&action=edit
telnet server that overflows telnet's uprompt[] in sra_reply()
telnet's auth_name() allows the name in TELQUAL_NAME to be up to 255
bytes long:
auth_name(unsigned char *data, int cnt)
unsigned char savename[256];
if ((size_t)cnt > sizeof(savename) - 1) {
error...
auth_encrypt_user(savename)
auth_encrypt_user() copies the name to UserNameRequested.
But sra_reply() says:
char uprompt[256],tuser[256];
...;
sprintf(uprompt,"User (%s): ",UserNameRequested);
uprompt[] isn't guaranteed to be big enough, so sprintf can overflow uprompt[].
I've attached a demo telnet server. You may have to re-compile libtelnet
and telnet with -fsanitize=address to reliably see a problem:
# cc telnet17d.c
# ./a.out
listening...
And in another window:
# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
=================================================================
==34863==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffdfa0 at pc 0x0000010a77e3 bp 0x7fffffffcfe0 sp 0x7fffffffc7a8
WRITE of size 252 at 0x7fffffffdfa0 thread T0
#0 0x10a77e2 in memcpy
/usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:899:5
#1 0x80173809d in __sfvwrite /usr/src/lib/libc/stdio/fvwrite.c:132:6
#2 0x801740c5b in __sprint /usr/src/lib/libc/stdio/vfprintf.c:166:8
#3 0x801740c5b in io_flush /usr/src/lib/libc/stdio/printfcommon.h:157:10
#4 0x801740c5b in __vfprintf /usr/src/lib/libc/stdio/vfprintf.c:1033:3
#5 0x80174910d in vsprintf_l /usr/src/lib/libc/stdio/vsprintf.c:62:8
#6 0x80174910d in vsprintf /usr/src/lib/libc/stdio/vsprintf.c:69:9
#7 0x10aeac2 in vsprintf
/usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:1765:1
#8 0x10af2c6 in sprintf
/usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:1808:1
#9 0x1150c70 in sra_reply /usr/src/contrib/telnet/libtelnet/sra.c:273:3
#10 0x113ed83 in suboption /usr/src/contrib/telnet/telnet/telnet.c:944:4
#11 0x113d521 in telrcv /usr/src/contrib/telnet/telnet/telnet.c:1874:7
#12 0x113fc5e in Scheduler /usr/src/contrib/telnet/telnet/telnet.c:2098:17
#13 0x113f2d9 in telnet /usr/src/contrib/telnet/telnet/telnet.c:2163:6
#14 0x112c65a in tn /usr/src/contrib/telnet/telnet/commands.c:2497:5
#15 0x113448a in main /usr/src/contrib/telnet/telnet/main.c:374:7
Address 0x7fffffffdfa0 is located in stack of thread T0 at offset 288 in frame
#0 0x11508ef in sra_reply /usr/src/contrib/telnet/libtelnet/sra.c:247
This frame has 3 object(s):
[32, 288) 'uprompt' (line 248)
[352, 608) 'tuser' (line 248) <== Memory access at offset 288 partially
underflows this variable
[672, 688) 'skey' (line 249)
--
You are receiving this mail because:
You are the assignee for the bug.