HEADS UP: telnetd exploit in the wild, advisory coming soon

FreeBSD Security Officer cperciva at freebsd.org
Sun Feb 15 06:56:02 PST 2009

Hi all,

A semi-remote root exploit for telnetd was posted to the full-disclosure list

Because the FreeBSD security team didn't get any advance notice of this, we're
still investigating and don't have an official advisory or patches ready yet;
we're working on it.

Some basic information from our investigation so far, subject to change as we
investigate further:
* this affects telnetd in FreeBSD 7.0-RELEASE, 7.1-RELEASE, 7-STABLE, and 8-CURRENT.
* telnetd is disabled by default; if it is enabled, this is normally done via
* dragonflybsd is vulnerable to this exploit, but for a completely different
reason.  Don't try to use their patch -- it won't work.
* in order to exploit this, an attacker needs to put a file somewhere on the
vulnerable system with a known path.  For an attacker who already has non-root
access, this is obviously trivial; for an attacker without an account it may
be possible to do this by sending an email to a user on the system, exploiting
a CGI script, uploading a file via anonymous FTP, etc.

I strongly recommend disabling telnetd on all FreeBSD 7.x and 8.x systems.
Check that telnetd isn't running (`ps ax | grep telnetd | grep -v grep` should
return nothing) and that it isn't enabled in inetd.conf (`grep telnetd
/etc/inetd.conf | grep -v ^#` should return nothing).  If you absolutely must
run telnetd, use a firewall to restrict access to people whom you trust with
root access.

Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid

More information about the freebsd-security mailing list