Pragma Patches Telnet DoS Vulnerability

Pragma Systems Inc., an Internet software products developer for the Windows platform, recently released a patch for their telnet server for Windows NT/2000. The fix eliminates a denial of service (DoS) vulnerability that could cause an application crash if one of two different scenarios is met. The bug, originally reported by the Underground Security Systems Research organization (USSRBack), involves a buffer overflow memory problem in the remote execution daemon (rexecd.exe) in the Pragma Telnet Server. By hitting the server with a carefully constructed Internet packet, a malicious user could crash the Pragma telnet server requiring the server administrator to restart the telnet server application, or, in some situations, to reboot the system.? Telnet and Remote Execution Our testing revealed that the problem is a buffer

overflow caused by a string manipulation with NULL characters. In other words, by introducing approximately 1000 null characters, the REXEC daemon crashes. Buffer overflows are typically caused a user trying to cram more data into a program buffer than the developer originally anticipated. Doing this can have varying effects. But in most cases the buffer overflow causes the vulnerable program to crash. At best, this bug is an inconvenience for the already-harried network administrator who would be required to restart the service. At worst, a buffer overflow could make the server crash, causing a loss of data and service. In order for the vulnerability in Pragma's Telnet Server to be exploited, a malicious user would establish a telnet session. After logging in, this user would then copy the offending code to the server. Once this happens, the next user to log in would kill the telnet server process. Historical Perspective The same problem was found in a previous incarnation of Pragma's telnet server, TelnetD, build 4. In July 2000, this problem was corrected with the release of build 8. Pragma assures us that it has taken steps to prevent this problem from reoccurring in future releases. It is refreshing when a company proactively notifies BugNet of a problem and how they are handling the situation. On September 1, 2000, Pragma notified BugNet of this DoS problem, which was found earlier that week. Since then, Pragma has been working on a patch that was release just days ago. BugNet, with the help of KeyLabs, was able to validate the 6MB patch using sample exploiting code provided by USSRBack. The Telnet Server, build 2 upgrade is available to registered users. Contact Pragma if your system is affected.