__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN IBM AIX telnetd Buffer Overflow August 10, 2001 22:00 GMT Number L-131 ______________________________________________________________________________ PROBLEM: A remote buffer overflow exists in the telnet daemon in use on many platforms. PLATFORM: IBM AIX 4.3.x and 5.1 DAMAGE: A remote attacker can cause the telnetd process to overflow the buffer and crash, or execute arbitrary code as the user running telnetd, usually root. SOLUTION: Check with your vendor for specific information on the operating systems in use at your site. For IBM AIX systems, follow the workaround or solutions as described below. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A valid user account and password are not ASSESSMENT: required to exploit this vulnerability, only the ability to connect to a telnetd server. The exploit code has been published on the Internet. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/l-131.shtml ______________________________________________________________________________ [****** Start IBM Security Advisory ******] IBM SECURITY ADVISORY Fri Jul 27 13:17:01 CDT 2001 Revised: Thu Aug 09 11:31:34 CDT 2001 =========================================================================== VULNERABILITY SUMMARY VULNERABILITY: Buffer overflow vulnerability in telnet daemon PLATFORMS: IBM AIX 4.3.x and 5.1 SOLUTION: Apply the emergency-fixes described below, or employ the workaround, also described below. THREAT: Malicious user could obtain root privileges or could force a system crash. CERT Advisory: CA-2001-21 =========================================================================== DETAILED INFORMATION I. Description AIX ships with a version of the "telnet" daemon, derived from the original BSD version. This daemon is shipped SUID, or "set user ID", and is executable by an ordinary user. In the AIX version of "telnetd", as well as most other versions of "telnetd" derived from the BSD telnet daemon, there exists a buffer overflow vulnerability in telrcv(), the function that processes various options under telnet. There is an output buffer in the function that holds the information gathered during the parsing of the option request and the daemon's internal state. This buffer is not bounds checked, allowing for the possibility of forcing an overflow condition in the stack when the buffer returns its data to the telnet client. II. Impact A malicious local or remote user can use a well-crafted exploit code to gain root privileges on the attacked system, compromising the integrity of the system and its attached local network. IBM believes this is a difficult vulnerability to exploit with the goal of obtaining enhanced system privileges, but it is not very difficult to force a core dump, and possibly a system crash. Exploits already exist in the wild, and are being maliciously used. An exploit obtained by the AIX Security Team has been shown to produce a core dump, though AIX remained stable. Other exploits, though, may cause more serious harm. Customers are urged to take measures to close this vulnerability. III. Solutions A. WORKAROUND There is no practical workaround. To protect against an exploit before the efix or APAR is applied, the telnet daemon can be disabled to prevent the use of telnet. Customers may wish to consider replacing telnet with a version of Secure Shell (SSH), available from a variety of providers, as a security enhancement over telnet. B. Official fix IBM is working on the following fixes which will be available soon: APAR number for AIX 4.3.3: IY22029 APAR number for AIX 5.1: IY22021 NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 at the latest maintenance level, or to 5.1. C. How to minimize the vulnerability Temporary fixes for AIX 4.3.x and 5.1 systems are available. The temporary fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/telnetd_efix.tar.Z The efix compressed tarball consists of two fixes: one for AIX 4.3.3 and one for AIX 5.1. It also includes this Advisory. The two fix files are "telnetd.433" for 4.3.3 and "telnetd.510" for 5.1. These temporary fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk. To proceed with efix installation: First, verify the MD5 cryptographic hash sums of each efix file you obtain from unpacking the tarball with those given below. These should match exactly; if they do not, contact the AIX Security Team at security-alert@austin.ibm.com and describe the discrepancy. Filename sum md5 ================================================================= telnetd.433 47297 408 c7b16982f7f2011560c1b726eeae5c64 telnetd.510 33124 383 7fa323119fa312c2c62dc7cd539d58ec Efix Installation Instructions: ------------------------------- IMPORTANT NOTICE: If you are running AIX 4.3.3 you must install the version of libc (in package bos.rte.libc) that is at the level of 4.3.3.50, or higher, before proceeding with the efix installation for AIX 4.3.3. 1. Become root, if not already done. 2. Change to the /usr/sbin directory. Make a backup copy of the existing telnet binary, giving it a distinctive, meaningful name, such as "telnetd.original" or "telnetd.backup". This is IMPORTANT to do, so you can recover the orginal telnetd binary if something goes wrong during the installation of the efix! Do the above by executing "mv telnetd telnetd.original". 3. In the tmp ("/tmp") directory, download, uncompress, and untar the efix. a. uncompress telnetd_efix.tar b. tar -xvf telnetd_efix.tar 4. You will have two files: "telnetd.433" and "telnetd.510". Keep the tarfile appropriate for your version of AIX (i.e., "433" for 4.3.3; "510" for 5.1); You may remove the unneeded version. 5. Now change back to the directory /usr/sbin. Doublecheck that you have made a backup of your original telnetd. 6. Execute "cp /tmp/telnet.xyz telnetd", where "xyz" is either "433" or "510", as appropriate. 7. Execute "chmod 4554 telnetd". 8. Execute "chown root:system telnetd". 9. Execute "sync; sync; sync;" 10. Execute "refresh -s inetd". IV. Obtaining Fixes IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://techsupport.services.ibm.com/rs6k/fixes.html or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send email to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line. V. Acknowledgements Many thanks to the TESO group in Germany and to "Sebastian", a poster to the BUGTRAQ mailing list, for finding & bringing this vulnerability to our attention. VI. Contact Information Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to security-alert@austin.ibm.com with a subject of "get key". If you would like to subscribe to the AIX security newsletter, send a note to aixserv@austin.ibm.com with a subject of "subscribe Security". To cancel your subscription, use a subject of "unsubscribe Security". To see a list of other available subscriptions, use a subject of "help". IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. [****** End IBM Security Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of IBM Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-121: SSH Secure Shell Remote Root Exploit Vulnerability L-122: FreeBSD tcpdump Remote Buffer OVerflow Vulnerability L-123: AIX libi18n Library Vulnerability L-124: Remote Buffer Overflow in telnetd L-125: SGI netprint Dynamic Shared Objects (DSO) Exploit L-126: Microsoft Remote Procedure Call (RPC) Server Vulnerability L-127: Sun BIND Vulnerabilities L-128: MIT Kerberos 5 telnetd Buffer Overflows L-129: Sun in.ftpd Filename Expansion Vulnerability L-130: Multiple DoS Vulnerabilities in Cisco Broadband Operating System (CBOS)