View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Systems Compromised Through a Vulnerability in the IRIX telnet daemon</h2>

Original release date: Thursday, August 31, 2000<br/>
Last revised: Thursday, September 7, 2000<br/>
Source: CERT/CC<br/>
<p>
<h3>Overview</h3>

We have received reports of intruder activity involving the telnet
daemon on SGI machines running the IRIX operating system.  Intruders
are actively exploiting a vulnerability in <i>telnetd</i> that is
resulting in a remote root compromise of victim machines.

<p>
Information about the vulnerability we have seen exploited as a part
of these attacks can be found at

<p>
<ul>
<li>
<a href="ftp://sgigate.sgi.com/security/20000801-01-P">SGI Security Advisory 20000801-01-P</a>, IRIX telnetd vulnerability
<li>
<a href="http://www.securityfocus.com/bid/1572">http://www.securityfocus.com/bid/1572</a>
</li></li></ul>
<h3>Description</h3>

Reports of successful exploitations of the vulnerability in <i>telnetd</i>
have included some or all of the following attack characteristics:
<p>
<ul>
<li>Generation of a syslog message similar to
<p>
<dl>
<dd><pre>
overly long syslog message detected, truncating
telnetd[xxxxx]: ignored attempt to setenv (_RLD,     ^?D^X^\    
^?D^X^^   ^D^P^?^?$^B^Cs#^?^B^T#d~^H#e~^P/d~^P/`~^T#`~^O
^C ^?^?L/bin/sh
</pre>
</dd></dl>
or
<dl>
<dd><pre>
overly long syslog message, integrity compromised, aborting
</pre>
</dd></dl>
<p>
<li>Addition of accounts with root privileges to /etc/passwd
<p>
<li>Remote retrieval and installation of additional intruder tools,
including root kits that contain replacements for various system
binaries, including <i>telnetd</i>
<p>
<li>Installation of packet sniffers
<p>
<li>Installation of irc proxy programs such as <i>bnc</i>
</li></p></li></p></li></p></li></p></p></li></ul>
<p>
<h3>Solutions</h3>
<p>
<h4>Patch or disable the telnetd service</h4>
<p>
Patches for this vulnerability have been released by SGI.  Sites are
encouraged to follow the instructions outlined in the

<a href="ftp://sgigate.sgi.com/security/20000801-01-P">SGI advisory</a>

for specific instructions on how to obtain the patches.  For sites
that cannot immediately apply the patches, instructions for disabling
the telnet service are also provided.

<h4>Restrict access to the telnetd service</h4>
<p>Sites can employ the use of access control mechanisms, such as
packet filtering, firewalls, or application-layer controls to manage
the risk of intrusion on vulnerable systems.

<p>As a good security practice in general, the CERT/CC recommends
blocking unneeded ports at your network border(s).  In particular to
this vulnerability, sites should block TCP port 23 (telnet).

<p>
For sites which this is not feasible, the CERT/CC recommends applying
an access control mechanism such as tcp_wrappers or tcpserver for the
telnet service.  The tcp_wrappers package can be found at

<p>
<dl><dd> <a href="ftp://ftp.porcupine.org/pub/security/index.html">ftp://ftp.porcupine.org/pub/security/index.html</a>
</dd></dl>
<p>
The ucspi-tcp package, including tcpserver, can be found at
<p>
<dl><dd>
<a href="http://cr.yp.to/ucspi-tcp.html">http://cr.yp.to/ucspi-tcp.html</a>
</dd></dl>
<p><br/>
If you believe a host has been compromised, we encourage you to
disconnect the host from the network and review our steps for
recovering from a root compromise:
<p>
<dl>
<dd><a href="http://www.cert.org/tech_tips/root_compromise.html">
http://www.cert.org/tech_tips/root_compromise.html</a>
</dd></dl>
<p>
We also encourage you to ensure that your hosts are current with
security patches or work-arounds for well-known vulnerabilities and to
regularly review security related patches released by your vendors.

<p>
<b>Author</b>: <a href="mailto:cert@cert.org?subject=IN-2000-09%20Feedback">Chad Dougherty</a><br/>
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 2000 Carnegie Mellon University.</p>
<p>Revision History
<pre>
August 31, 2000: Initial Release
September 7, 2000: Updated information in solutions section upon SGI's release
of patches for this vulnerability, and updated the SGI advisory number.
</pre>
</p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p>