Telnet and Remote Execution

Our testing revealed that the problem is a buffer overflow caused by a string manipulation with NULL characters. In other words, by introducing approximately 1000 null characters, the REXEC daemon crashes. Buffer overflows are typically caused a user trying to cram more data into a program buffer than the developer originally anticipated. Doing this can have varying effects. But in most cases the buffer overflow causes the vulnerable program to crash. At best, this bug is an inconvenience for the already-harried network administrator who would be required to restart the service. At worst, a buffer overflow could make the server crash, causing a loss of data and service.

In order for the vulnerability in Pragma’s Telnet Server to be exploited, a malicious user would establish a telnet session. After logging in, this user would then copy the offending code to the server. Once this happens, the next user to log in would kill the telnet server process.

Historical Perspective

The same problem was found in a previous incarnation of Pragma’s telnet server, TelnetD, build 4. In July 2000, this problem was corrected with the release of build 8. Pragma assures us that it has taken steps to prevent this problem from reoccurring in future releases.

It is refreshing when a company proactively notifies BugNet of a problem and how they are handling the situation. On September 1, 2000, Pragma notified BugNet of this DoS problem, which was found earlier that week. Since then, Pragma has been working on a patch that was release just days ago.

BugNet, with the help of KeyLabs, was able to validate the 6MB patch using sample exploiting code provided by USSRBack. The Telnet Server, build 2 upgrade is available to registered users. Contact Pragma if your system is affected.