Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Net::Telnet::Chunk is insecure #5

Closed
Kaiepi opened this issue Aug 7, 2018 · 6 comments
Closed

Net::Telnet::Chunk is insecure #5

Kaiepi opened this issue Aug 7, 2018 · 6 comments
Labels
hacktoberfest

Comments

@Kaiepi
Copy link
Owner

Kaiepi commented Aug 7, 2018

Apart from Net::Telnet::Chunk not being very optimized, say a server sends a message like so: IAC WILL NAWS IAC SB 0 80 0 60 IAC IAC IAC IAC IAC IAC IAC IAC IAC IAC IAC IAC. Net::Telnet::Chunk will parse the IAC WILL NAWS and add the rest of the message to the parser buffer. If the server keeps sending messages, two things can happen:

  • the connection stays open forever
  • the server can keep sending messages until the client runs out of memory

Grammars probably aren't suitable for parsing Telnet messages for this reason. Net::Connection.parse should be refactored to use a more traditional method of parsing Telnet messages to prevent this from happening.
@Kaiepi
Copy link
Owner Author

Kaiepi commented Oct 5, 2018
edited

Alternatively, refactor the Net::Telnet::Chunk grammar to throw an error if it encounters a scenario like this. Catch x number of times in the parse method and close the connection once the number of errors thrown in a row exceeds x. The method I mentioned in the OP requires much more refactoring, but if you wish to follow that instead, follow how curl handles parsing telnet messages.

@JJ
Copy link

JJ commented Oct 5, 2018

I'd really love to help here, but I don't know the first thing about Telnet. I have no idea what the acronyms above mean, why that's insecure, if there's a test for that already, if someone would have to write the test before...
Could you maybe please clarify, with pointers to the code if that's convenient for you? Catching repeated elements in a list shouldn't be difficult, and writing a test for that, but I'm not sure if that's what you're needing.

@Kaiepi
Copy link
Owner Author

Kaiepi commented Oct 5, 2018

It's insecure because if a telnet server is badly written or malicious, it could try to send messages like the example I gave in the OP, which this currently doesn't handle properly. The acronyms represent different telnet commands, which can be found in RFC854. The grammar used to parse telnet messages is here. At the moment, it trusts that all negotiations/subnegotations will be sent exactly as specified in the spec, which may not always be the case. Like I mentioned earlier, adding an error method to the grammar to throw something like X::Net::Telnet::InvalidMessage if any of the tokens in the grammar fail to parse would help mitigate this.

@JJ
Copy link

JJ commented Oct 5, 2018 via email

@Kaiepi
Copy link
Owner Author

Kaiepi commented Nov 4, 2018

@JJ any progress?

@JJ
Copy link

JJ commented Nov 5, 2018 via email

@Kaiepi Kaiepi closed this as completed in e3c7e8c Jan 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hacktoberfest
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JJ @Kaiepi