Bug #11498
opentelnet client can infinitely recurse
0%
Description
See here: https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/telnet_term_0day.py
for a Python3 one-connection listener that will cause our telnet client to crash spectacularly with a very big stack:
nowhere(~)[1]% mdb core Loading modules: [ libc.so.1 ld.so.1 ] > ::stack !wc -l 218055 > nowhere(~)[0]%
This has a CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053
A FreeBSD patch found here: https://security.FreeBSD.org/patches/SA-19:12/telnet.patch
shows mostly fixes that were apparently in place pre-OpenSolaris (sprintf to snprintf). It's possible some other code that's caught-up on FreeBSD isn't at all in ours.
Updated by Dan McDonald almost 3 years ago
- Category set to networking
I'd put a higher priority on this one, but many people don't use telnet even as a port-tester any more. It's worth recording at least.
Updated by Dan McDonald almost 3 years ago
Better link for FreeBSD fix: https://github.com/freebsd/freebsd/commit/084f697eff4428a0e87d5291d5b676f64776a117