CVE-2011-4862 PoC — FreeBSD ‘telnetd’ 缓冲区错误漏洞

Source

https://github.com/lol-fi/cve-2011-4862

Associated Vulnerability

Title:FreeBSD ‘telnetd’ 缓冲区错误漏洞 (CVE-2011-4862)
Description:FreeBSD是由Core Team团队负责的FreeBSD项目中的一套类Unix自由操作系统，是经过BSD、386BSD和4.4BSD发展而来的类Unix的一个重要分支。 FreeBSD 7.3至9.0版本, MIT Kerberos Version 5 Applications 1.0.2及之前版本和Heimdal 1.5.1及之前版本中的telnetd中的libtelnet/encrypt.c中存在缓冲区溢出漏洞。远程攻击者可借助超长encryption键执行任意代码。

Readme

# cve-2011-4862

I originally tried to use diff to make a patch.
I patched it the way I thought it would be, before looking
at the real patch.
encrypt.patch is this original patch that I made with teh
diff.
However, when we tried applying this patch to freeBSD, 
it would not accept it.

Instead, we had to fetch the real patch. I then changed the patch
to implement the fix the way I originally thought it should. This works
because it puts the whole path into the patch.

In the patch, we simply check the length compared to MAXLENGTH.
If it's bigger than that, set it to 0.
This way, it falls into the case of len = 0, which
errors out. This fixes it :-)

Here is an explanation of how to apply a patch in freeBSD.
https://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc
Simply use this patch instead of fetching the real one.
It will work, and you will no longer be able to exploit the buffer overflow.

File Snapshot


 [4.0K]  /data/pocs/7964a78cff32c3ec87051dec05229cd70225a228
├── [ 394]  encrypt.patch
├── [ 924]  README.md
└── [ 835]  telnetd.patch

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!