IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ASSESSMENT 01-019

"Buffer Overflow Vulnerability in Telnet Daemon"

August 30, 2001

Synopsis: Recently, the cyber security community received numerous reports of intruders using the buffer overflow vulnerability in the telnet daemon program. Security organizations, such as CERT/Coordination Center, cited this vulnerability in a July advisory (http://www.cert.org/advisories/CA-2001-21.html) outlining the vulnerability and solutions to address this problem. Due to the increase of these reports and with the activity of a new worm that has targeted this vulnerability, the NIPC urges the consumers to contact their vendors to obtain the appropriate fix. This vulnerability has the potential to impact the victim by allowing an intruder to copy, delete, or execute any program on the victim's system.

A new worm called "x.c," designed to exploit this vulnerability, has been discovered. Although that specific worm has been disabled, other malicious code variants could take advantage of the same vulnerability. Vendor patches are available and NIPC urges consumers to contact their vendor to obtain the appropriate fix for their operating system.

This vulnerability affects primarily FreeBSD-derived telnet daemons (including Solaris, AIX, and several versions of Linux), but some information suggests other vendors' telnet daemons may also be subject to attack using the same method.

A list of vulnerable systems, along with links to vendor patches, can be obtained at http://www.securityfocus.com/bid/3064. It is recommended that users of these operating systems check with their vendor for applicable patches, or disable the telnet daemon entirely.

Further information on the vulnerability can be found at: http://www.cert.org/advisories/CA-2001-21.html http://www.net-security.org/text/bugs/996661549,7633,.shtml

Any information regarding the above worm or any other exploitation of the buffer overflow vulnerability should be reported to the NIPC or other authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm, directly to the NIPC Watch and Warning Unit at (202) 323-3204/3205/3206 or nipc.watch@ fbi.gov. Government agencies should report incidents to FedCIRC at http://www.fedcirc.gov, fedcirc@fedcirc.gov, or 1-888-282-0870.