Home / os / solaris

[Apple] libtelnet arbitrary C execution Vulnerability

Posted on 30 November -0001

<HTML><HEAD><TITLE>[Apple] libtelnet arbitrary C execution Vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>########################################################### # Exploit Title : [Apple] libtelnet arbitrary C execution Vulnerability # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage: http://apple.com # Date : 2017 23 March # Category : Operating system (OS) - Mac OS # MY HOME : Ashiyane.org # Software Link : https://opensource.apple.com/source/libtelnet/libtelnet-13/read_password.c.auto.html ########################################################### ## Files : read_password.c ## Details : Some of the code in this program are not filters. ## Code : stdin ## Patch : $stdin ########################################################### ########################################################### ########## Vulnerability CODE ########## /* Turn off echo */ tty_state.sg_flags &= ~ECHO; if (ioctl(0,TIOCSETP,(char *)&tty_state) == -1) return -1; while (!ok) { (void) printf("%s", prompt); (void) fflush(stdout); while (!fgets(s, max, stdin)); if ((ptr = strchr(s, ' '))) *ptr = ''; if (verify) { printf(" Verifying, please re-enter %s",prompt); (void) fflush(stdout); if (!fgets(key_string, sizeof(key_string), stdin)) { clearerr(stdin); continue; } if ((ptr = strchr(key_string, ' '))) *ptr = ''; if (strcmp(s,key_string)) { printf(" 77Mismatch - try again "); (void) fflush(stdout); continue; } ################################################ # Discovered By : Hassan Shakeri # Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir ###########################################################</BODY></HTML>

 

TOP