[Apple] libtelnet arbitrary C execution Vulnerability

Published
Credit
Risk
2017.03.23
Ashiyane Digital Security Team
High
CWE
CVE
Local
Remote
N/A
N/A
No
Yes

###########################################################
# Exploit Title : [Apple] libtelnet arbitrary C execution Vulnerability
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage: http://apple.com
# Date : 2017 23 March
# Category : Operating system (OS) - Mac OS
# MY HOME : Ashiyane.org
# Software Link : https://opensource.apple.com/source/libtelnet/libtelnet-13/read_password.c.auto.html
###########################################################
## Files : read_password.c
## Details : Some of the code in this program are not filters.
## Code : stdin
## Patch : $stdin
###########################################################
###########################################################
########## Vulnerability CODE ##########

/* Turn off echo */
tty_state.sg_flags &= ~ECHO;
if (ioctl(0,TIOCSETP,(char *)&tty_state) == -1)
return -1;
while (!ok) {
(void) printf("%s", prompt);
(void) fflush(stdout);
while (!fgets(s, max, stdin));

if ((ptr = strchr(s, '\n')))
*ptr = '\0';
if (verify) {
printf("\nVerifying, please re-enter %s",prompt);
(void) fflush(stdout);
if (!fgets(key_string, sizeof(key_string), stdin)) {
clearerr(stdin);
continue;
}
if ((ptr = strchr(key_string, '\n')))
*ptr = '\0';
if (strcmp(s,key_string)) {
printf("\n\07\07Mismatch - try again\n");
(void) fflush(stdout);
continue;
}
################################################
# Discovered By : Hassan Shakeri
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir
###########################################################

References:

https://opensource.apple.com/source/libtelnet/libtelnet-13/read_password.c.auto.html
https://twitter.com/ShakeriHassan
http://ashiyane.org/forums


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com