[Apple] libtelnet arbitrary C execution Vulnerability

2017.03.23
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

########################################################### # Exploit Title : [Apple] libtelnet arbitrary C execution Vulnerability # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage: http://apple.com # Date : 2017 23 March # Category : Operating system (OS) - Mac OS # MY HOME : Ashiyane.org # Software Link : https://opensource.apple.com/source/libtelnet/libtelnet-13/read_password.c.auto.html ########################################################### ## Files : read_password.c ## Details : Some of the code in this program are not filters. ## Code : stdin ## Patch : $stdin ########################################################### ########################################################### ########## Vulnerability CODE ########## /* Turn off echo */ tty_state.sg_flags &= ~ECHO; if (ioctl(0,TIOCSETP,(char *)&tty_state) == -1) return -1; while (!ok) { (void) printf("%s", prompt); (void) fflush(stdout); while (!fgets(s, max, stdin)); if ((ptr = strchr(s, '\n'))) *ptr = '\0'; if (verify) { printf("\nVerifying, please re-enter %s",prompt); (void) fflush(stdout); if (!fgets(key_string, sizeof(key_string), stdin)) { clearerr(stdin); continue; } if ((ptr = strchr(key_string, '\n'))) *ptr = '\0'; if (strcmp(s,key_string)) { printf("\n\07\07Mismatch - try again\n"); (void) fflush(stdout); continue; } ################################################ # Discovered By : Hassan Shakeri # Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir ###########################################################

References:

https://opensource.apple.com/source/libtelnet/libtelnet-13/read_password.c.auto.html
https://twitter.com/ShakeriHassan
http://ashiyane.org/forums


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top