Exploits spawning telnetd don't stop the service on session close

[wvu]

This was a complaint I raised when we considered telnetd as a payload in #9364. It directly resulted in #9353 being written.

Several modules spawn an unauthed telnetd to create a session against, but when the session is closed or dies, the service remains running, happily providing shells indefinitely. Obviously this is no good if the operator forgets to stop the service.

While #9353 was intended to solve this problem, there have been inconsistencies in its execution. We'll want to sort those out in the future. For now, I'm putting up this ticket to document the problem and the modules that need fixing.

wvu@kharak:~/metasploit-framework:master$ git grep telnetd modules
modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb:        In order to get a remote shell the telnetd could be started without any
modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb:        OptString.new('CMD', [ true, 'The command to execute', 'telnetd -p 1337'])
modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb:      'Description' => 'Detect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd)',
modules/exploits/linux/http/asuswrt_lan_rce.rb:      This exploit leverages that to start telnetd in a random port, and then connects to it.
modules/exploits/linux/http/asuswrt_lan_rce.rb:    cmd = "/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}" + [0x00].pack('C*')
modules/exploits/linux/http/belkin_login_bof.rb:          'Marco Vaz <mv[at]integrity.pt>', # Vulnerability discovery and msf module (telnetd)
modules/exploits/linux/http/dlink_command_php_exec_noauth.rb:    cmd = "telnetd -p #{telnetport}"
modules/exploits/linux/http/dlink_command_php_exec_noauth.rb:    #starting the telnetd gives no response
modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb:    cmd = "telnetd -p #{telnet_port} -l/bin/sh"
modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb:        generic payload and try to start telnetd or execute other commands. Since it is a
modules/exploits/linux/http/dlink_dir300_exec_telnet.rb:    cmd = "telnetd -p #{telnetport}"
modules/exploits/linux/http/dlink_dir300_exec_telnet.rb:    #starting the telnetd gives no response
modules/exploits/linux/http/netgear_wnr2000_rce.rb:      "killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh"             # payload
modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb:    cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}"
modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb:    print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd")
modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb:        cmd = "telnetd -p #{telnet_port} -l/bin/sh"
modules/exploits/linux/http/trueonline_billion_5200w_rce.rb:    command = "utelnetd -l /bin/sh -p #{datastore['TelnetPort']} -d"
modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb:        'remote_host' => ";utelnetd -l /bin/sh -p #{datastore['TelnetPort']} -d;#",
modules/exploits/linux/misc/asus_infosvr_auth_bypass_exec.rb:    print_status "#{rhost} - Starting telnetd on port #{telnet_port}..."
modules/exploits/linux/misc/asus_infosvr_auth_bypass_exec.rb:    udp_sock.put request "telnetd -l /bin/sh -p #{telnet_port}"
modules/exploits/linux/telnet/netgear_telnetenable.rb:        This module sends a magic packet to a NETGEAR device to enable telnetd.
modules/exploits/linux/telnet/netgear_telnetenable.rb:    # Try to do the exploit unless telnetd is detected
modules/exploits/linux/telnet/netgear_telnetenable.rb:    # Detect TCP or UDP and presence of telnetd
modules/exploits/linux/telnet/netgear_telnetenable.rb:    connect_telnetd
modules/exploits/linux/telnet/netgear_telnetenable.rb:      # telnetenabled returns no data, unlike telnetd
modules/exploits/linux/telnet/netgear_telnetenable.rb:        print_good('Detected telnetd on TCP')
modules/exploits/linux/telnet/netgear_telnetenable.rb:    # Wait a couple seconds for telnetd to come up
modules/exploits/linux/telnet/netgear_telnetenable.rb:    print_status('Waiting for telnetd')
modules/exploits/linux/telnet/netgear_telnetenable.rb:  def connect_telnetd
modules/exploits/linux/telnet/netgear_telnetenable.rb:    print_status('Connecting to telnetd')
modules/exploits/linux/telnet/telnet_encrypt_keyid.rb:        Linux systems running telnetd.
modules/exploits/solaris/telnet/fuser.rb:        in the telnet daemon (in.telnetd) of Solaris 10 and 11.
modules/exploits/solaris/telnet/ttyprompt.rb:      'Name'           => 'Solaris in.telnetd TTYPROMPT Buffer Overflow',
modules/post/multi/recon/sudo_commands.rb:      ncat netcat netcat.traditional nc nc.traditional openssl socat telnet telnetd
wvu@kharak:~/metasploit-framework:master$

This list will need culling. Some of these are false positives, but I wanted to document them all.

Thanks!

[bcoles]

False positives, as they are not exploits and do not execute commands

• modules/auxiliary/scanner/telnet/telnet_encrypt_overflow
• modules/post/multi/recon/sudo_commands

False positives, as they do not spawn a telnetd

• modules/exploits/linux/http/belkin_login_bof
• modules/exploits/solaris/telnet/fuser
• modules/exploits/solaris/telnet/ttyprompt

Likely false positives

• modules/exploits/linux/telnet/telnet_encrypt_keyid
• modules/exploits/linux/misc/asus_infosvr_auth_bypass_exec appears in the list above; and has a CommandShellCleanupCommand of exit.

    register_advanced_options [
      # If the session is killed (CTRL+C) rather than exiting cleanly,
      # the telnet port remains open, but is unresponsive, and prevents
      # re-exploitation until the device is rebooted.
      OptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'exit'])
]

TODO

• [ ] auxiliary/admin/http/dlink_dir_300_600_exec_noauth
• [ ] auxiliary/admin/http/linksys_e1500_e2500_exec
• [x] auxiliary/scanner/telnet/telnet_encrypt_overflow
• [ ] exploits/linux/http/asuswrt_lan_rce
• [x] exploits/linux/http/belkin_login_bof
• [ ] exploits/linux/http/dlink_command_php_exec_noauth
• [ ] exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution
• [ ] exploits/linux/http/dlink_diagnostic_exec_noauth
• [ ] exploits/linux/http/dlink_dir300_exec_telnet
• [ ] exploits/linux/http/netgear_wnr2000_rce
• [ ] exploits/linux/http/raidsonic_nas_ib5220_exec_noauth
• [ ] exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection
• [ ] exploits/linux/http/trueonline_billion_5200w_rce
• [ ] exploits/linux/http/trueonline_p660hn_v1_rce
• [x] exploits/linux/misc/asus_infosvr_auth_bypass_exec
• [ ] exploits/linux/telnet/netgear_telnetenable
• [x] exploits/linux/telnet/telnet_encrypt_keyid
• [x] exploits/solaris/telnet/fuser
• [x] exploits/solaris/telnet/ttyprompt
• [x] post/multi/recon/sudo_commands

[wvu]

Legend. :-)

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.