From owner-doc-jp@jp.freebsd.org  Tue Jul 31 17:00:52 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id RAA39752;
	Tue, 31 Jul 2001 17:00:52 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO202.gate.nec.co.jp (TYO202.gate.nec.co.jp [202.247.6.41])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id RAA39734;
	Tue, 31 Jul 2001 17:00:47 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailgate4.nec.co.jp ([10.7.69.193])
	by TYO202.gate.nec.co.jp (8.11.3/3.7W01041220) with ESMTP id f6V80ik10172;
	Tue, 31 Jul 2001 17:00:44 +0900 (JST)
Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.196]) by mailgate4.nec.co.jp (8.11.3/3.7W-MAILGATE-NEC) with ESMTP
	id f6V80dK11831; Tue, 31 Jul 2001 17:00:39 +0900 (JST)
Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv4.nec.co.jp (8.11.3/3.7W-MAILSV4-NEC) with ESMTP
	id f6V7bVL08653; Tue, 31 Jul 2001 16:37:32 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by  necspl.do.mms.mt.nec.co.jp (8.11.4/8.11.4) with ESMTP id f6V7bVx43642;
	Tue, 31 Jul 2001 16:37:31 +0900 (JST)
Date: Tue, 31 Jul 2001 16:37:31 +0900 (JST)
Message-Id: <20010731.163731.85381360.y-koga@jp.FreeBSD.org>
To: doc-jp@jp.FreeBSD.org
From: Koga Youichirou <y-koga@jp.freebsd.org>
In-Reply-To: <20010731055234.41670.qmail@web111.mail.yahoo.co.jp>
References: <20010731055234.41670.qmail@web111.mail.yahoo.co.jp>
X-Mailer: Mew version 2.0 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010328
X-Sequence: doc-jp 8305
Subject: [doc-jp 8305] Re: FreeBSD-SA-01:49
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

Kiroh HARADA <kiroh@yahoo.co.jp>:
> $B$H$$$&$o$1$G(B revised version $B$K$7$^$7$?!#(B

$B$Q$A$Q$A$Q$A!y(B

$B$^$:!"A4BN$K!VA4$F!W(Bor$B!V$9$Y$F!W$,MI$l$F$$$^$9!#(B

> 0.   Revision History
> 0.   $B2~DjMzNr(B
> 
> 2001-07-23  v1.0  Initial release
> 2001-07-27  v1.1  Updated patch instructions, kerberosIV package
>                   available, added reference to SSH in workarounds.
> 
> 2001$BG/(B7$B7n(B23$BF|(B v1.0	$B=i4|%j%j!<%9(B

$B!V=i4|!W$H$$$&$N$O>/$70c$&$h$&$J5$$,!#(B
$B$3$l$^$G$O!V=iHG8x3+!W$H$7$F$$$^$7$?$M!#(B

> 2001$BG/(B7$B7n(B27$BF|(B v1.1	$B%Q%C%AE,MQJ}K!$N%"%C%W%G!<%H(B
> 			kerberosIV $B%Q%C%1!<%8$,MxMQJ}K!$NDI2C(B
> 			SSH $B$rMxMQ$7$?2sHrJ}K!$NDI2C(B

$B!V%"%C%W%G!<%H!W"*!V99?7!W(B

> 
> I.   $BGX7J(B
> 
> telnetd is the server for the telnet remote virtual terminal protocol.
> telnted $B$O(B, telnet $B2>A[%?!<%_%J%k%W%m%H%3%k$N%5!<%P$G$9(B. 

remote $B$,Lu$5$l$F$$$^$;$s$M!#(B
$B$"$H!"%W%m%H%3%kL>$H$7$F$O(B TELNET $B$H(B capital $B$K$9$k$N$,0lHLE*$@$H;W$$(B
$B$^$9!#(B

> II.  Problem Description
> II.  $BLdBj$N>\:Y(B
> 
> An overflowable buffer was found in the version of telnetd included
> with FreeBSD.  Due to incorrect bounds checking of data buffered for
> output to the remote client, an attacker can cause the telnetd process
> to overflow the buffer and crash, or execute arbitrary code as the
> user running telnetd, usually root.  A valid user account and password
> is not required to exploit this vulnerability, only the ability to
> connect to a telnetd server.
> 
> FreeBSD $B$K4^$^$l$k%P!<%8%g%s$N(B telnetd $B$K%P%C%U%!%*!<%P!<%U%m!<$,8+IU$+(B
> $B$j$^$7$?(B. $B%j%b!<%H%/%i%$%"%s%H$X$N=PNO%P%C%U%!$N6-3&%A%'%C%/$,ITE,@Z$J(B
> $B$?$a(B, $B967b<T$O(B telnetd $B$r%P%C%U%!%*!<%P!<%U%m!<$K$h$j%/%i%C%7%e$5$;$?$j(B, 
> telnetd $B$N<B9T%f!<%6(B ($BDL>o(B root $B$G$9(B) $B$N8"8B$G(B, $BG$0U$N%3!<%I$r<B9T$5$;(B
> $B$?$j$G$-$^$9(B. $B$3$N@H<e@-$r0-MQ$9$k$N$K%f!<%6%"%+%&%s%H$d%Q%9%o!<%I$O(B, 
> $BI,MW$"$j$^$;$s(B. telnetd $B%5!<%P$K@\B3$5$($G$-$l$P(B, $B0-MQ2DG=$G$9(B. 

$B!V%P!<%8%g%s$N(B telnetd$B!W"*!V(Btelnetd $B$N%P!<%8%g%s!W$NJ}$,$$$$$+$b!#(B
$B$G$b!"!V%P!<%8%g%s!W$ON,$7$?J}$,$$$$$h$&$J5$$,$7$F$$$^$9!#(B

an overflowable buffer $B$r!V%P%C%U%!%*!<%P!<%U%m!<$,8+IU$+$j$^$7$?!W$H(B
$B$9$k$N$O>/$70c$&$H;W$$$^$9!#(B

$B!V$5$;$?$j$G$-$^$9!W"*!V$5$;$?$j$9$k$3$H$,$G$-$^$9!W(B

a valid user account... $B$N$H$3$m$O!"967b<T$,967bBP>]$KBP$7$F@5Ev$J(B
$B%f!<%6(B/$B%Q%9%o!<%I$G(B TELNET $B$rMQ$$$F%m%0%$%s$7$F$$$kI,MW$,$J$$$3$H$r(B
$B8@$C$F$$$k$N$G$9$,!"$3$NLu$@$H$$$^$R$H$D[#Kf$K$J$C$F$7$^$&$H;W$$$^$9!#(B

> The telnetd service is enabled by default on all FreeBSD installations
> if the 'high' security setting is not selected at install-time. This
> vulnerability is known to be exploitable, and is being actively
> exploited in the wild.
> 
> telnetd $B%5!<%S%9$O(B, $B%$%s%9%H!<%k;~$K%;%-%e%j%F%#@_Dj$r(B 'high' $B$K@_Dj$7$J(B
> $B$$8B$j(B, $B$9$Y$F$N(BFreeBSD $B$G%G%U%)%k%H$GF3F~$5$l(B, $BM-8z$K$5$l$F$$$^$9(B. $B$3$N(B
> $B@H<e@-$O0-MQ2DG=$H$7$FG'<1$5$l(B, $B$9$G$KB??t$N0-MQ$,3NG'$5$l$F$$$^$9(B.

$B!V(Btelnetd $B%5!<%S%9!W$C$F0cOB46$"$j$^$9$M!D(B ftpd $B%5!<%S%9$H$+(B fingerd 
$B%5!<%S%9$H$OIaDL8@$o$J$$$H;W$$$^$9!#(B
$B!V(Btelnetd $B$r;HMQ$9$k%5!<%S%9!W$"$?$j$+$J$!!#(B

$B<g8l$O=R8l$K6a$$J}$,$9$C$-$j$7$^$9!#(B
$B!V%$%s%9%H!<%k;~$K!D$7$J$$8B$j(B, telnetd $B$r;HMQ$9$k%5!<%S%9$O$9$Y$F$N!D!W(B
$B$NJ}$,$h$$$G$7$g$&!#!VF3F~$5$l!W$OITMW$+$J!#(B

> III. Impact
> III. $B1F6AHO0O(B
> 
> Remote users can cause arbitrary code to be executed as the user
> running telnetd, usually root.
> 
> $B967b<T$O(B, telnetd $B$N<B9T%f!<%6(B($BDL>o(B root) $B$GG$0U$N%3!<%I$r<B9T$G$-$^$9(B. 

$B!V<B9T%f!<%68"8B!W$H$7$^$7$g$&!#$G$b!"@5$7$/$O<B8z%f!<%6$@$h$J$!!#(B
$B$^$!!"(Btelnetd $B$N<BAu$G$O%$%3!<%k$G$9$1$I!#(B

> IV.  Workaround
> IV.  $B2sHrJ}K!(B
> 
> 1) Disable the telnet service, which is usually run out of inetd:
> comment out the following lines in /etc/inetd.conf, if present.
> 
> 1) telnet $B%5!<%S%9$rL58z$K$9$k(B. $BDL>o$O(B inetd $B$+$i5/F0$5$l$^$9$N$G(B, 
> /etc/inetd.conf $B%U%!%$%k$NCf$N0J2<$N9T$r%3%a%s%H%"%&%H$7$^$9(B. 

$B!D$N!D$N!D$N(B $B$HB3$/$N$O$"$l$J$N$G!"!V%U%!%$%k$NCf$N!W"*!V%U%!%$%kCf$N!W(B
$B$K$7$?J}$,$$$$$+$J!#(B

> An alternative remote login protocol such as the SSH secure shell
> protocol (which is installed by default in FreeBSD), can be used
> instead.  The SSH protocol is the recommended protocol for remote
> logins to FreeBSD systems because of the superior authentication,
> confidentiality and integrity protection it supplies relative to other
> protocols such as telnet.
> 
> SSH $B%;%-%e%"%7%'%k%W%m%H%3%k(B (FreeBSD $B$K%G%U%)%k%H$G%$%s%9%H!<%k$5(B
> $B$l$^$9(B) $B$J$I$N%j%b!<%H%m%0%$%s%W%m%H%3%k$G(B telnet $B%5!<%S%9$rBeBX(B
> $B$G$-$^$9(B. SSH $B$O(B, $BG'>ZJ}K!(B, $BHkF?@-(B, $BJ]8n$N0l4S@-$J$I$G(B, telnet $B$J$I(B
> $B$NB>$N%W%m%H%3%k$KBP$7$FM%$l$F$*$j(B, FreeBSD $B$X$N%j%b!<%H%m%0%$%s(B
> $B$rDs6!$9$kJ}K!$H$7$F?d>)$5$l$F$$$^$9(B. 

FreeBSD $B$K%$%s%9%H!<%k$5$l$k!"$C$F$J$s$+L/$+$b!#(B
$B!V(BFreeBSD $B$G$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$^$9!W$"$?$j$G$7$g$&$+!#(B

$B>/$78G$$$N$G!"!V(Btelnet $B%5!<%S%9$NBe$o$j$K(B, SSH $B%;%-%e%"%7%'%k%W%m%H%3(B
$B%k(B ($B!D(B) $B$N$h$&$J%j%b!<%H%m%0%$%s%W%m%H%3%k$r;HMQ$9$k$3$H$,$G$-$^$9!W(B
$B$G$I$&$G$7$g$&!)(B

$B!V(BFreeBSD $B$X$N%j%b!<%H%m%0%$%s!W"*!V(BFreeBSD $B%7%9%F%`$X$N%j%b!<%H%m%0%$%s!W(B
integrity $B$O!"%;%-%e%j%F%#$N@$3&$G$OBgDq!V(B($B%G!<%?$N(B) $B40A4@-!W$r;X$7$^$9!#(B

$B!VBP$7$F!W"*!VHf$Y$F!W$NJ}$,$$$$$+$J!#(B

> 2) Impose access restrictions using TCP wrappers (/etc/hosts.allow),
> or a network-level packet filter such as ipfw(8) or ipf(8) on the
> perimeter firewall or the local machine, to limit access to the telnet
> service to trusted machines.
> 
> 2) TCP wrappers (/etc/hosts.allow) $B$d(B, ipfw(8) $B$d(B ipf(8) $B$N$h$&$J%M%C%H(B
> $B%o!<%/%l%Y%k$N%Q%1%C%H%U%#%k%?$r6-3&%U%!%$%"%&%)!<%k$d%m!<%+%k%^%7%s$G(B
> $BF0:n$5$;(B, telnetd $B$X$N%"%/%;%9$r?.Mj$G$-$k%^%7%s$K8B$k$J$I(B, $BE,@Z$J%"%/(B
> $B%;%9@)8B$r2]$7$^$9(B. 

s/$B$J$I(B, $BE,@Z$J(B//
$B!V2]$7$^$9!W"*!V9T$J$&!W(B

> V.   Solution
> V.   $B2r7h:v(B
> 
> One of the following:
> $B0J2<$N$$$:$l$+$r9T$$$^$9(B. 

doc-jp $B$G$O!"!V9T$$$^$9!W"*!V9T$J$$$^$9!W$@$C$?5$$,$7$^$9!#(B

> 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the
> RELENG_4_3 security branch after the respective correction dates.
> 
> 1) $B%7%9%F%`$r=$@5F|0J9_$N(B 4.3-STABLE $B$d(B RELENG_4_3 $B%;%-%e%j%F%#%V%i%s%A(B
> $B$K%"%C%W%0%l!<%I$7$^$9(B. 

$B3N$+$K$=$&=q$$$F$"$k$1$l$I!"(BRELENG_4_3 security branch $B$C$F2?!)(B

> Advisory 00:69 prior to applying this patch).  These patches may or
> may not apply to older, unsupported releases of FreeBSD.
> 
> $B$=$l0JA0$N8E$$%j%j!<%9$d(B, $B%5%]!<%H$5$l$J$$%j%j!<%9$N(B FreeBSD $B$K(B, 
> $B$3$N%Q%C%A$,MxMQ2DG=$+$I$&$+$O(B, $B3NG'$7$F$$$^$;$s(B. 

$B!VMxMQ2DG=!W"*!VE,MQ2DG=!W(B

> Download the patch and the detached PGP signature from the following
> locations, and verify the signature using your PGP utility.
> 
> $B%Q%C%A$H(B PGP $B=pL>$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7(B, PGP $B%f!<%F%#%j%F%#$G(B
> $B=pL>$NM-8z@-$r3NG'$7$F$/$@$5$$(B. 

$B!VM-8z@-!W"*!V@5Ev@-!W$+$J$!!#0J2<F1MM!#(B

> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch.asc

s/freebsd/FreeBSD/ $B$7$?$$$+$b!#8e$G$O$=$&$J$C$F$k$7!#0J2<F1MM!#(B

> 3) FreeBSD 4.3-RELEASE systems:
> 3) FreeBSD 4.3-RELEASE $B$N>l9g(B:
> 
> An experimental upgrade package is available for users who wish to
> provide testing and feedback on the binary upgrade process.  This
> package may be installed on FreeBSD 4.3-RELEASE systems only, and is
> intended for use on systems for which source patching is not practical
> or convenient.
> 
> $B%P%$%J%j%"%C%W%0%l!<%I%W%m%;%9$N<B83$H%U%#!<%I%P%C%/$K8f6(NOD:$1$k>l9g(B
> $B$O(B, $B<B83E*$J%"%C%W%0%l!<%I%Q%C%1!<%8$,MxMQ$G$-$^$9(B. $B$3$N%Q%C%1!<%8$O(B, 
> FreeBSD 4.3-RELEASE $B%7%9%F%`$K$N$_E,MQ$G$-$^$9(B. $B$3$N%Q%C%1!<%8$O(B, 
> $B%=!<%9$N%Q%C%A$K$h$k%"%C%W%0%l!<%I$,(B, $B:$Fq$J%7%9%F%`MQ$KDs6!$5$l$F$$$^$9(B. 

$B!V8f6(NOD:$1$k!W"*!V$46(NO$$$?$@$1$k!W(B
$B!V%"%C%W%0%l!<%I$,(B, $B:$Fq$J!W!V%"%C%W%0%l!<%I$,:$Fq$J!W(B

> If you use the upgrade package, feedback (positive or negative) to
> security-officer@FreeBSD.org is requested so we can improve the
> process for future advisories.
> 
> $B%"%C%W%0%l!<%I%Q%C%1!<%8$rMxMQ$7$?>l9g$O(B, $B%U%#!<%I%P%C%/(B($BNI$$E@(B, $B0-$$E@(B)
> $B$r(B security-officer@FreeBSD.org $B$KAw$C$F$/$@$5$$(B. $B:#8e$N%;%-%e%j%F%#4+9p(B
> $B$N2~A1$KMxMQ$7$^$9(B. 

$B6(NO$7$F$$$?$@$/$N$G$9$+$i!"(B
$B!VMxMQ$7$^$9!W"*!V3hMQ$5$;$F$$$?$@$-$^$9!W$/$i$$$G$I$&$G$7$g$&!)(B

> During the installation procedure, backup copies are made of the files
> which are replaced by the package.  These backup copies will be
> reinstalled if the package is removed, reverting the system to a
> pre-patched state.
> 
> $B%$%s%9%H!<%k:n6HCf$K(B, $B%Q%C%1!<%8$K$h$jCV$-49$($i$l$k$l%U%!%$%k$O(B, 
> $B%P%C%/%"%C%W%3%T!<$,:n@.$5$l$^$9(B. $B%Q%C%1!<%8$r:o=|$7$?>l9g(B, $B:n@.$5$l$?(B
> $B%P%C%/%"%C%W%3%T!<$,I|85$5$l(B, $B%7%9%F%`$O%Q%C%A0JA0$N>uBV$KLa$j$^$9(B. 

$B!VCV$-49$($i$l$k$l!W"*!VCV$-49$($i$l$k!W(B

> Three versions of the upgrade package are available, depending on
> whether or not the system has the crypto or kerberosIV distributions
> installed.
> 
> $B%7%9%F%`$N(B, crypto $B%G%#%9%H%j%S%e!<%7%g%s(B, kerberosIV $B%G%#%9%H%j%S%e!<(B
> $B%7%g%s$NM-L5$K1~$8$F(B, 3 $B<oN`$N%Q%C%1!<%8$,$"$j$^$9(B.

$B!V%7%9%F%`$N(B, $B!W$OITMW$+$b!#(B

----
$B$3$,$h$&$$$A$m$&(B
