Advertisement






Cisco Ironport WSA telnetd Remote Code Execution

CVE Category Price Severity
Author Risk Exploitation Type Date
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014100135

Below is a copy:

Cisco Ironport WSA Telnetd Remote Code Execution Vulnerability
Vendor: Cisco
Product web page: http://www.cisco.com
Affected version: Cisco Ironport WSA - AsyncOS 8.0.5 for Web build 075
Date: 22/05/2014
Credits: Glafkos Charalambous
CVE: CVE-2011-4862
CVSS Score: 7.6
Impact: Unauthenticated Remote Code Execution with elevated privileges
Description: The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code (CVE-2011-4862).
Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default. 

diff --git a/ChangeLog b/ChangeLog
index dd381d1..f4e4457 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-12-25  Alfred M. Szmidt  <[email protected]>
+
+* libtelnet/encrypt.c (encrypt_keyid): Make sure that LEN never is
+greater than MAXKEYLEN.
+
 2011-12-22  Mats Erik Andersson <[email protected]>
 
 * libinetutils/setsig.c (setsig) [HAVE_SIGACTION]: Initialize
diff --git a/libtelnet/encrypt.c b/libtelnet/encrypt.c
index 06827d9..abfa6d4 100644
--- a/libtelnet/encrypt.c
+++ b/libtelnet/encrypt.c
@@ -796,6 +796,9 @@ encrypt_keyid (kp, keyid, len)
   int dir = kp->dir;
   register int ret = 0;
 
+  if (len > MAXKEYLEN)
+    len = MAXKEYLEN;
+
   if (!(ep = (*kp->getcrypt) (*kp->modep)))
     {
       if (len == 0)


Trying 192.168.0.160...
Connected to 192.168.0.160.
Escape character is '^]'.

[+] Exploiting 192.168.0.160, telnetd rulez!
[+] Target OS - FreeBSD 8.2 amd64
[*] Enjoy your shell
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
uname -a
FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 10:49:50 PDT 2014     [email protected]:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64  amd64

Disclosure Timeline
19-05-2014: Vendor Notification
20-05-2014: Vendor Response/Feedback
27-08-2014: Vendor Fix/Patch
22-10-2014: Public Disclosure

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
http://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum