TelnetD Subject to Buffer Overflow and DoS

Reported February 21, 2000 by USSRLabs
VERSIONS AFFECTED
InterAccess TelnetD Server, BUILD RELEASE 4

DESCRIPTION

The code that handles the login commands for a telnet session has an unchecked buffer that will allow arbitrary code to execute on the server if it the buffer is overflowed.

DEMONSTRATION

$ telnet example-victim-site.com
Trying example-victim-site.com...
Connected to example-victim-site.com.
Escape character is "^\]".

InterAccess TelnetD Server (30 Day Trial Version) Release 4.0
Copyright (C) 1994-1999 by Pragma Systems, Inc.
All rights reserved.

This copy will expire on Tue Mar 21 21:55:14 2000

login name: (buffer)

Where \[buffer\] is aprox. 300 characters.

VENDOR RESPONSE

USSRLabs claims to have informed the vendor, Pragma Systems, four times via email however no response was received as of Feb 22, 2000.

We contained Pragma Systems on February 22, where the company responded immediately with the following statement via email:

> We recently discovered that on your ntsecurity web site that there was a
> problem reported by USSR Labs regarding Pragma Systems product

> InterAccess TelnetD Server 4.0 for "TelnetD Subject to Buffer Overflow and
> DoS". At the bottom of the problem report, it states that USSR Labs has
> contacted Pragma 4 times and we have failed to respond.
>
> I would like to state that Pragma has not received any calls or
> emails from USSR Labs regarding this problem. We are currently

> researching this and would like for a retraction to be made regarding
> USSR Labs having tried to contact us (we have not received any
> contact from them at all). We have not been aware of the stated problem,
> but we are looking into it.

Further investigation reveals that the Web page provided by Pragma Systems was generating an ODBC error each time someone attempted to send them an email via that page. Because of the error, USSRLabs could not send mail using the Web-based form, and thus, claimed to have experienced a non-responsive condition with the vendor. Pragma has since corrected the Web form errors by placing an HTML mailto link on the technical support page.

Pragma System has stated that their current version is Build 7, which does not appear to contain the buffer overflow condition.

CREDITS
Discovered by USSRLabs