Project

General

Profile

Bug #11498

telnet client can infinitely recurse

Added by Dan McDonald 12 months ago. Updated 12 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
networking
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

See here: https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/telnet_term_0day.py

for a Python3 one-connection listener that will cause our telnet client to crash spectacularly with a very big stack:

nowhere(~)[1]% mdb core
Loading modules: [ libc.so.1 ld.so.1 ]
> ::stack !wc -l
  218055
> 
nowhere(~)[0]% 

This has a CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053

A FreeBSD patch found here: https://security.FreeBSD.org/patches/SA-19:12/telnet.patch

shows mostly fixes that were apparently in place pre-OpenSolaris (sprintf to snprintf). It's possible some other code that's caught-up on FreeBSD isn't at all in ours.

History

#1

Updated by Dan McDonald 12 months ago

  • Category set to networking

I'd put a higher priority on this one, but many people don't use telnet even as a port-tester any more. It's worth recording at least.

Also available in: Atom PDF