TelnetD Subject to Buffer Overflow and DoS
Reported February 21, 2000 by USSRLabs
InterAccess TelnetD Server, BUILD RELEASE 4
The code that handles the login commands for a
telnet session has an unchecked buffer that will allow arbitrary code to execute on the
server if it the buffer is overflowed.
$ telnet example-victim-site.com
Connected to example-victim-site.com.
Escape character is "^\]".
InterAccess TelnetD Server (30 Day Trial Version) Release 4.0
Copyright (C) 1994-1999 by Pragma Systems, Inc.
All rights reserved.
This copy will expire on Tue Mar 21 21:55:14 2000
login name: (buffer)
Where \[buffer\] is aprox. 300 characters.
USSRLabs claims to have
informed the vendor, Pragma
Systems, four times via email however no response was received as of Feb 22, 2000.
We contained Pragma Systems on February 22, where
the company responded immediately with the following statement via email:
> We recently discovered that on your ntsecurity
web site that there was a
> problem reported by USSR Labs regarding Pragma Systems product
> InterAccess TelnetD Server 4.0 for "TelnetD Subject to Buffer
> DoS". At the bottom of the problem report, it states that USSR
> contacted Pragma 4 times and we have failed to respond.
> I would like to state that Pragma has not received any calls or
> emails from USSR Labs regarding this problem. We are currently
> researching this and would like for a retraction to be made regarding
> USSR Labs having tried to contact us (we have not received any
> contact from them at all). We have not been aware of the stated
> but we are looking into it.
Further investigation reveals that the Web page provided by
Pragma Systems was generating an ODBC error each time someone attempted to send them an
email via that page. Because of the error, USSRLabs could not send mail using the
Web-based form, and thus, claimed to have experienced a non-responsive condition with the
vendor. Pragma has since corrected the Web form errors by placing an HTML mailto link on
the technical support page.
Pragma System has stated that their current version is
Build 7, which does not appear to contain the buffer overflow condition.
Discovered by USSRLabs