Bug #11498: telnet client can infinitely recurse - illumos gate - illumos

Bug #11498

telnet client can infinitely recurse

Added by Dan McDonald over 1 year ago. Updated over 1 year ago.

Status:

New

Priority:

Normal

Assignee:

Category:

networking

Start date:

Due date:

% Done:

Estimated time:

Difficulty:

Medium

Tags:

Gerrit CR:

Description

See here: https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/telnet_term_0day.py

for a Python3 one-connection listener that will cause our telnet client to crash spectacularly with a very big stack:

nowhere(~)[1]% mdb core
Loading modules: [ libc.so.1 ld.so.1 ]
> ::stack !wc -l
  218055
> 
nowhere(~)[0]%

This has a CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053

A FreeBSD patch found here: https://security.FreeBSD.org/patches/SA-19:12/telnet.patch

shows mostly fixes that were apparently in place pre-OpenSolaris (sprintf to snprintf). It's possible some other code that's caught-up on FreeBSD isn't at all in ours.

Updated by Dan McDonald over 1 year ago

Category set to networking

I'd put a higher priority on this one, but many people don't use telnet even as a port-tester any more. It's worth recording at least.

Updated by Dan McDonald over 1 year ago

Better link for FreeBSD fix: https://github.com/freebsd/freebsd/commit/084f697eff4428a0e87d5291d5b676f64776a117

Also available in: Atom PDF

Project

General

Profile

illumos gate

Custom queries

Bug #11498

telnet client can infinitely recurse

Updated by Dan McDonald over 1 year ago

Updated by Dan McDonald over 1 year ago