chackraview.net

Just before the end of 2011, new buffer overflow vulnerability was detected in telnetd in FreeBSD 7.3 through 9.0 allowing remote attackers to execute arbitrary code. This vulnerability was tracked under CVE-2011-4862 and exploited in the wild.

We all know that telnet sends data in plain text over wire and can be easily eavesdropped. To address this concern, a new telnet encryption is introduced as a generic method of providing data confidentiality service for telnet data stream. This encryption option is documented in RFC 2946

As per the RFC, supported encryption types are supported by telnetd:

• DES_CFB64
• DES_OFB64
• DES3_CFB64
• DES3_OFB64
• CAST5_40_CFB64
• CAST5_40_OFB64
• CAST128_CFB64
• CAST128_OFB64

Protocol supports various Encryption commands as well. Out of which, we will talk about the vulnerable command ENC_KEYID (7)

This command is used to request remote side to map the sent KEYID to a valid key or to verify that the “keyid” received in a DEC_KEYID command is valid.

The buffer overflow occurs due to lack to boundary check for KEYID length which is defined as 64 in the libtelnet\encrypt.c file. The affected function is encrypt_keyid()

Addition of a small code that checks if KEYID length is greater than MAXKEYLEN would resolve the issue.

Network detection of CVE-2011-4862

This vulnerability is fixed and the patch is released by various vendors. Till all the patches get implemented, below snort rule can help detect the exploit attempt for this vulnerability.

Do let me know in case you find any false positives or better way to write above signature.

A word of advice, If you are still using Telnet, switch to SSH and Stay Safe!!

Further reading:

• http://www.exploit-db.com/exploits/18280/
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
• http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-008.txt
• http://tools.ietf.org/html/rfc2946