Re: Debian netkit telnetd vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Debian netkit telnetd vulnerability
From: Matt Zimmerman <mdz@xxxxxxxxxx>
Date: Sun, 26 Sep 2004 15:41:53 -0700
In-reply-to: <20040920231149.GA1565@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040916145609.Q52561@xxxxxxxxxxxxxxxxxxxx> <20040920231149.GA1565@xxxxxxxxxxxx>
User-agent: Mutt/1.5.6+20040523i

On Tue, Sep 21, 2004 at 03:11:49AM +0400, Solar Designer wrote:

> On Sat, Sep 18, 2004 at 09:57:19PM +0200, Michal Zalewski wrote:
> > Exposure:
> > 
> >   Remote root compromise through buffer handling flaws
> 
> FWIW, some (two?) distributions have privsep'ed telnetd by now, where
> the immediate impact of this flaw (if it were present there) would be
> code execution as pseudo-user "telnetd" chrooted to /var/empty. (*)

Debian's telnetd runs as user telnetd, though it does not chroot to
/var/empty.

-- 
 - mdz

References:
- Debian netkit telnetd vulnerability
  - From: Michal Zalewski
- Re: Debian netkit telnetd vulnerability
  - From: Solar Designer

Prev by Date: Php RFC1867 Upload Vuln. POC Released
Next by Date: [ GLSA 200409-35 ] Subversion: Metadata information leak
Previous by thread: Re: Debian netkit telnetd vulnerability
Next by thread: glFTPd local stack buffer overflow
Index(es):
- Date
- Thread