Cisco Ironport WSA telnetd Remote Code Execution

2014.10.23
Credit: Glafkos Charalambous
Risk: High
Local: No
Remote: Yes
CVE: CVE-2011-4862
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Cisco Ironport WSA Telnetd Remote Code Execution Vulnerability Vendor: Cisco Product web page: http://www.cisco.com Affected version: Cisco Ironport WSA - AsyncOS 8.0.5 for Web build 075 Date: 22/05/2014 Credits: Glafkos Charalambous CVE: CVE-2011-4862 CVSS Score: 7.6 Impact: Unauthenticated Remote Code Execution with elevated privileges Description: The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code (CVE-2011-4862). Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default. diff --git a/ChangeLog b/ChangeLog index dd381d1..f4e4457 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2011-12-25 Alfred M. Szmidt <ams@gnu.org> + + * libtelnet/encrypt.c (encrypt_keyid): Make sure that LEN never is + greater than MAXKEYLEN. + 2011-12-22 Mats Erik Andersson <gnu@gisladisker.se> * libinetutils/setsig.c (setsig) [HAVE_SIGACTION]: Initialize diff --git a/libtelnet/encrypt.c b/libtelnet/encrypt.c index 06827d9..abfa6d4 100644 --- a/libtelnet/encrypt.c +++ b/libtelnet/encrypt.c @@ -796,6 +796,9 @@ encrypt_keyid (kp, keyid, len) int dir = kp->dir; register int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt) (*kp->modep))) { if (len == 0) Trying 192.168.0.160... Connected to 192.168.0.160. Escape character is '^]'. [+] Exploiting 192.168.0.160, telnetd rulez! [+] Target OS - FreeBSD 8.2 amd64 [*] Enjoy your shell uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) uname -a FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 10:49:50 PDT 2014 auto-build@vm10bsd0266.eng:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64 Disclosure Timeline 19-05-2014: Vendor Notification 20-05-2014: Vendor Response/Feedback 27-08-2014: Vendor Fix/Patch 22-10-2014: Public Disclosure References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862 http://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE-----

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
http://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top