Telnet Encryption (using Kerberos V4) SECURITY HOLE
Theodore Ts'o <tytso@mit.edu> Wed, 15 February 1995 23:27 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa08555; 15 Feb 95 18:27 EST
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa08551; 15 Feb 95 18:27 EST
Received: from timbuk.cray.com by CNRI.Reston.VA.US id aa16343; 15 Feb 95 18:27 EST
Received: from sdiv.cray.com (ironwood.cray.com [128.162.21.36]) by timbuk.cray.com (8.6.9/CRI-fence-1.4) with SMTP id RAA13036; Wed, 15 Feb 1995 17:21:02 -0600
Received: by sdiv.cray.com (5.0/CRI-5.15.b.orgabbr Sdiv) id AA12027; Wed, 15 Feb 1995 17:20:59 -0600
Received: from timbuk.cray.com by sdiv.cray.com (5.0/CRI-5.15.b.orgabbr Sdiv) id AA12019; Wed, 15 Feb 1995 17:20:57 -0600
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by timbuk.cray.com (8.6.9/CRI-fence-1.4) with SMTP id RAA13030; Wed, 15 Feb 1995 17:20:56 -0600
Received: from DCL.MIT.EDU by MIT.EDU with SMTP id AA08621; Wed, 15 Feb 95 17:06:18 EST
Received: by dcl.MIT.EDU (5.0/4.7) id AA05857; Wed, 15 Feb 1995 17:06:20 +0500
Date: Wed, 15 Feb 1995 17:06:20 +0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Theodore Ts'o <tytso@mit.edu>
Message-Id: <9502152206.AA05857@dcl.MIT.EDU>
To: kerberos@mit.edu, telnet-ietf@cray.com
Subject: Telnet Encryption (using Kerberos V4) SECURITY HOLE
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091
Content-Length: 8436
-----BEGIN PGP SIGNED MESSAGE----- We have discovered a serious security problem found in the Berkeley telnet client. This bug only affects telnet clients which provide support for the experimental telnet encryption option using the Kerberos V4 authentication. All known, released versions of the BSD telnet that support Kerberos V4 authentication and encryption are affected by this bug. It is recommended that all sites who use encrypted telnet in conjuction with Kerberos V4 apply this patch immediately. This patch, along with the domestic version of the most recently released telnet sources from Berkeley, are available via anonymous ftp from net-dist.mit.edu in the directory /pub/telnet. The patch (which is also included in this message) can be found in the file /pub/telnet/telnet.patch. The file /pub/telnet/telnet.patch.sig contains a detached PGP signature of this file. Users of NCSA Telnet should upgrade to the NCSA telnet 2.6.1d4, which is available via from ftp.ncsa.uiuc.edu in the directory /Mac/Telnet/Telnet2.6/prerelease/d4. Customers of ftp Software with an encrypting telnet (provided in the PC/TCP or OnNet packages) should call the ftp technical support line at 1-800-282-4387 and ask for the "tn encrypt patch". If you have an encrypting telnet from some other vendor, please contact that vendor for information regarding how to get a fixed version. Theodore Ts'o tytso@mit.edu February 15, 1995 -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBL0J6mUQVcM1Ga0KJAQH5RQP/UiH3ByLOa3nDczfnuIp2ToM+ix59CiHF hIHMFfbWkzW1ggvCYhsdKe8rxwNQWqyAxWIBfvyQwv36LAt6c97QKEzF0XPKYD8S vE+lQt3B71BOgdqaFDmth0+lENbLe7YRIfvrSDw/LIVut5rSl4cgtscceioLIzBp 8Zp1ENMBXR4= =2feL -----END PGP SIGNATURE----- #! /bin/sh # This is a shell archive. Remove anything before this line, then unpack # it by saving it into a file and typing "sh file". To overwrite existing # files, type "sh file -c". You can also feed this as standard input via # unshar, or by typing "sh <file", e.g.. If this archive is complete, you # will see the following message at the end: # "End of shell archive." # Contents: telnet.patch telnet.patch.sig # Wrapped by tytso@dcl on Wed Feb 15 17:01:03 1995 PATH=/bin:/usr/bin:/usr/ucb ; export PATH if test -f 'telnet.patch' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'telnet.patch'\" else echo shar: Extracting \"'telnet.patch'\" \(4877 characters\) sed "s/^X//" >'telnet.patch' <<'END_OF_FILE' XIndex: auth.c X=================================================================== XRCS file: /mit/krb5/.cvsroot/src/appl/telnet/libtelnet/auth.c,v Xretrieving revision 5.5 Xretrieving revision 5.7 Xdiff -u -r5.5 -r5.7 X--- auth.c 1994/08/18 21:06:45 5.5 X+++ auth.c 1994/11/08 04:39:02 5.7 X@@ -244,7 +244,7 @@ X { X register int x; X X- if (strcasecmp(type, AUTHTYPE_NAME(0))) { X+ if (!strcasecmp(type, AUTHTYPE_NAME(0))) { X *maskp = -1; X return(1); X } X@@ -260,14 +260,14 @@ X X int X auth_enable(type) X- int type; X+ char * type; X { X return(auth_onoff(type, 1)); X } X X int X auth_disable(type) X- int type; X+ char * type; X { X return(auth_onoff(type, 0)); X } X@@ -277,15 +277,20 @@ X char *type; X int on; X { X- int mask = -1; X+ int i, mask = -1; X Authenticator *ap; X X if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { X printf("auth %s 'type'\n", on ? "enable" : "disable"); X printf("Where 'type' is one of:\n"); X printf("\t%s\n", AUTHTYPE_NAME(0)); X- for (ap = authenticators; ap->type; ap++) X+ mask = 0; X+ for (ap = authenticators; ap->type; ap++) { X+ if ((mask & (i = typemask(ap->type))) != 0) X+ continue; X+ mask |= i; X printf("\t%s\n", AUTHTYPE_NAME(ap->type)); X+ } X return(0); X } X X@@ -293,7 +298,6 @@ X printf("%s: invalid authentication type\n", type); X return(0); X } X- mask = getauthmask(type, &mask); X if (on) X i_wont_support &= ~mask; X else X@@ -317,16 +321,22 @@ X auth_status() X { X Authenticator *ap; X+ int i, mask; X X if (i_wont_support == -1) X printf("Authentication disabled\n"); X else X printf("Authentication enabled\n"); X X- for (ap = authenticators; ap->type; ap++) X+ mask = 0; X+ for (ap = authenticators; ap->type; ap++) { X+ if ((mask & (i = typemask(ap->type))) != 0) X+ continue; X+ mask |= i; X printf("%s: %s\n", AUTHTYPE_NAME(ap->type), X (i_wont_support & typemask(ap->type)) ? X "disabled" : "enabled"); X+ } X return(1); X } X XIndex: kerberos.c X=================================================================== XRCS file: /mit/krb5/.cvsroot/src/appl/telnet/libtelnet/kerberos.c,v Xretrieving revision 5.5 Xretrieving revision 5.8 Xdiff -u -r5.5 -r5.8 X--- kerberos.c 1994/08/18 21:07:02 5.5 X+++ kerberos.c 1994/11/14 21:33:58 5.8 X@@ -225,9 +225,10 @@ X register int i; X X des_key_sched(cred.session, sched); X- des_set_random_generator_seed(cred.session); X- des_new_random_key(challenge); X- des_ecb_encrypt(challenge, session_key, sched, 1); X+ des_init_random_number_generator(cred.session); X+ des_new_random_key(session_key); X+ des_ecb_encrypt(session_key, session_key, sched, 0); X+ des_ecb_encrypt(session_key, challenge, sched, 0); X /* X * Increment the challenge by 1, and encrypt it for X * later comparison. X@@ -320,6 +321,11 @@ X break; X } X X+ /* X+ * Initialize the random number generator since it's X+ * used later on by the encryption routine. X+ */ X+ des_init_random_number_generator(session_key); X des_key_sched(session_key, sched); X memcpy((void *)datablock, (void *)data, sizeof(Block)); X /* X@@ -337,7 +343,7 @@ X * increment by one, re-encrypt it and send it back. X */ X des_ecb_encrypt(datablock, challenge, sched, 0); X- for (r = 7; r >= 0; r++) { X+ for (r = 7; r >= 0; r--) { X register int t; X t = (unsigned int)challenge[r] + 1; X challenge[r] = t; /* ignore overflow */ X XIndex: commands.c X=================================================================== XRCS file: /mit/krb5/.cvsroot/src/appl/telnet/telnet/commands.c,v Xretrieving revision 5.14 Xretrieving revision 5.16 Xdiff -u -r5.14 -r5.16 X--- commands.c 1994/08/18 21:07:37 5.14 X+++ commands.c 1994/11/08 06:42:49 5.16 X@@ -1919,8 +1919,8 @@ X }; X X extern int X- auth_enable P((int)), X- auth_disable P((int)), X+ auth_enable P((char *)), X+ auth_disable P((char *)), X auth_status P((void)); X static int X auth_help P((void)); X@@ -1959,6 +1959,12 @@ X { X struct authlist *c; X X+ if (argc < 2) { X+ fprintf(stderr, X+ "Need an argument to 'auth' command. 'auth ?' for help.\n"); X+ return 0; X+ } X+ X c = (struct authlist *) X genget(argv[1], (char **) AuthList, sizeof(struct authlist)); X if (c == 0) { X@@ -2015,7 +2021,7 @@ X EncryptEnable, 1, 1, 2 }, X { "disable", "Disable encryption. ('encrypt enable ?' for more)", X EncryptDisable, 0, 1, 2 }, X- { "type", "Set encryptiong type. ('encrypt type ?' for more)", X+ { "type", "Set encryption type. ('encrypt type ?' for more)", X EncryptType, 0, 1, 1 }, X { "start", "Start encryption. ('encrypt start ?' for more)", X EncryptStart, 1, 0, 1 }, X@@ -2058,6 +2064,12 @@ X char *argv[]; X { X struct encryptlist *c; X+ X+ if (argc < 2) { X+ fprintf(stderr, X+ "Need an argument to 'encrypt' command. 'encrypt ?' for help.\n"); X+ return 0; X+ } X X c = (struct encryptlist *) X genget(argv[1], (char **) EncryptList, sizeof(struct encryptlist)); END_OF_FILE if test 4877 -ne `wc -c <'telnet.patch'`; then echo shar: \"'telnet.patch'\" unpacked with wrong size! fi # end of 'telnet.patch' fi if test -f 'telnet.patch.sig' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'telnet.patch.sig'\" else echo shar: Extracting \"'telnet.patch.sig'\" \(284 characters\) sed "s/^X//" >'telnet.patch.sig' <<'END_OF_FILE' X-----BEGIN PGP MESSAGE----- XVersion: 2.6.1 X XiQCVAwUAL0JpS0QVcM1Ga0KJAQG61AP/VL/Q0WSxaMEdyyOOdelguAnEoR9XQir2 XtavtkPTouIJsveTQhpz4ONY2bkUve0HdnLoB9poUzcbZrDIT9xjgDJt2U/5mjLhq XQcwMMd7crD7TXJHxNSP5s19mWoc0USQ8R586mvufrgCBlX/WKLFR1GotDURQ9Ia7 XB57k9zoAQpk= X=Y5xl X-----END PGP MESSAGE----- END_OF_FILE if test 284 -ne `wc -c <'telnet.patch.sig'`; then echo shar: \"'telnet.patch.sig'\" unpacked with wrong size! fi # end of 'telnet.patch.sig' fi echo shar: End of shell archive. exit 0
- Telnet Encryption (using Kerberos V4) SECURITY HO… Theodore Ts'o