Discussion:
Microsoft Windows and *nix Telnet Port Number Argument Obfuscation
(too old to reply)
Kristian Hermansen
2005-06-07 22:09:41 UTC
Permalink
I. BACKGROUND

Telnet is a standard networking tool available on almost every computing
platform that participates on a network.

II. DESCRIPTION

The second argument to the telnet executable, the port number, does not
need to conform to the standard available port conventions (ie.
0-65535). It is actually possible to specify a port number very far out
of the effective range, and still be able to connect to the "wrapped"
port value. On Windows, it is even possible to specify negative port
values. Following is a short demonstration:

C:\>telnet localhost 65535999999999934485
220 localhost Microsoft FTP Service (Version 5.0).

C:\>telnet localhost -6553403371
220 localhost Microsoft FTP Service (Version 5.0).

You can create your own "wrapping" values by picking large numbers that
have a remainder of your specified port when modded with 65536. For
instance, in the example above:

65535999999999934485 % 65536 = 21

III. ANALYSIS

This is not a vulnerability at all, but could prove quite useful when
trying to obfuscate an admin's log of executed shell commands. For
instance, an unknowing admin looking at the arguments to telnet in this
example would be very confused. Other than this, there is no security
risk and the result is just interesting.

IV. DETECTION

I have confirmed that this will work on Microsoft Windows 2000 Server
SP4, Microsoft Windows Advanced Server SP0, Red Hat Linux Enterprise
Server 3.0, SuSE Professional 9.0, and Sun Solaris 8.

V. CREDIT

Discovered by Kristian Hermansen.
--
Kristian Hermansen <***@cisco.com>
Cisco Systems, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Nick FitzGerald
2005-06-08 03:04:45 UTC
Permalink
Post by Kristian Hermansen
The second argument to the telnet executable, the port number, does not
need to conform to the standard available port conventions (ie.
0-65535). It is actually possible to specify a port number very far out
of the effective range, and still be able to connect to the "wrapped"
port value. On Windows, it is even possible to specify negative port
Did you come down in the last shower?

This has been known since Adam was a cowboy.

On some OSes and depending on the tool parsing the cmdline, you can
also do similar things with octets within dotted IPs and other similar,
funky stuff.

Oh, and did you think to play around with expressing some of the values
in hex? Or even weirder, octal?

At least you note it is not a vulnerability -- I guess there is some
hope after all...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Andrew Haninger
2005-06-08 07:07:34 UTC
Permalink
Post by Nick FitzGerald
This has been known since Adam was a cowboy.
Well, this /is/ full-disclosure, no? Best to tell than to withhold.

And while I would hope that there aren't a rash of old-school
vulnerabilities blowing through the list, I, for one, was unaware that
you could specify telnet ports like that. I wouldn't be surprised if
I'm not alone. Now I'll know what's up if I ever see stuff like this.

Though it does worry me a bit that this came from a @cisco.com
address. Shouldn't they be kind of *YAWN* about all things networking?
--
Andy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Arjan van der Velde
2005-06-08 08:05:14 UTC
Permalink
Hi,

I like reading posts in here to learn from. It would be good not to be too
hostile against people asking questions you already know the answer for or
even have known it for ages already. If I were to ask a question I would
like to be educated or at least pointed in the right direction. Some replies
really discourage people from asking.

- Arjan


-----Original Message-----
From: full-disclosure-***@lists.grok.org.uk
[mailto:full-disclosure-***@lists.grok.org.uk] On Behalf Of Andrew
Haninger
Sent: Wednesday, June 08, 2005 9:08
To: ***@virus-l.demon.co.uk
Cc: Full Disclosure
Subject: Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port
NumberArgument Obfuscation
Post by Nick FitzGerald
This has been known since Adam was a cowboy.
Well, this /is/ full-disclosure, no? Best to tell than to withhold.

And while I would hope that there aren't a rash of old-school
vulnerabilities blowing through the list, I, for one, was unaware that you
could specify telnet ports like that. I wouldn't be surprised if I'm not
alone. Now I'll know what's up if I ever see stuff like this.

Though it does worry me a bit that this came from a @cisco.com address.
Shouldn't they be kind of *YAWN* about all things networking?

--
Andy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Raghu Chinthoju
2005-06-08 10:16:56 UTC
Permalink
The list charter says "Any information pertaining to vulnerabilities
is acceptable". So, technically, the original post by Kristian is not
fit to be posted to FD :)

Jokes apart, Nick seems to be a bit hard humours guy! Even though the
Charter says "Humour is acceptable provided it is inoffensive", this
kind of humor is quite usual to FD and acceptable to old timers on
this list, I guess. So, next time when some one has to post a
vulnerability they *just* found, may be they would look around to see
if they are the first ones.

And for asking questions or learning basics, may be security-basics
and others are more appropriate than FD.

Raghu
Post by Arjan van der Velde
Hi,
I like reading posts in here to learn from. It would be good not to be too
hostile against people asking questions you already know the answer for or
even have known it for ages already. If I were to ask a question I would
like to be educated or at least pointed in the right direction. Some replies
really discourage people from asking.
- Arjan
-----Original Message-----
Haninger
Sent: Wednesday, June 08, 2005 9:08
Cc: Full Disclosure
Subject: Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port
NumberArgument Obfuscation
Post by Nick FitzGerald
This has been known since Adam was a cowboy.
Well, this /is/ full-disclosure, no? Best to tell than to withhold.
And while I would hope that there aren't a rash of old-school
vulnerabilities blowing through the list, I, for one, was unaware that you
could specify telnet ports like that. I wouldn't be surprised if I'm not
alone. Now I'll know what's up if I ever see stuff like this.
Shouldn't they be kind of *YAWN* about all things networking?
--
Andy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Stan Bubrouski
2005-06-09 08:18:56 UTC
Permalink
"Any information pertaining to vulnerabilities is acceptable, for
instance announcement and discussion thereof, exploit techniques and
code, related tools and papers, and other useful information."

Clearly this thread started as "useful information" as many people pointed out.

Also from the charter:

"Humour is acceptable in moderation, providing it is inoffensive.
Politics should be avoided at all costs."

So Nick maybe you should read the charter before flaming someone who
posted useful information?

-sb
Post by Nick FitzGerald
Post by Kristian Hermansen
The second argument to the telnet executable, the port number, does not
need to conform to the standard available port conventions (ie.
0-65535). It is actually possible to specify a port number very far out
of the effective range, and still be able to connect to the "wrapped"
port value. On Windows, it is even possible to specify negative port
Did you come down in the last shower?
This has been known since Adam was a cowboy.
On some OSes and depending on the tool parsing the cmdline, you can
also do similar things with octets within dotted IPs and other similar,
funky stuff.
Oh, and did you think to play around with expressing some of the values
in hex? Or even weirder, octal?
At least you note it is not a vulnerability -- I guess there is some
hope after all...
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Kristian Hermansen
2005-06-09 13:58:49 UTC
Permalink
Post by Nick FitzGerald
This has been known since Adam was a cowboy.
Although I don't believe that your claim is unlikely, it would have been
nice to post a link to the original discovery to back it up. Everyone
that I have showed this to, personally, has not seen it before. And,
after some google searching, I could not locate anyone else either that
talked about this -- the closest thing was an old Microsoft telnet
advisory that didn't mention this behavior specifically.

With that said, I would like to ask anyone who has info about the
original discovery to please post it here (Nick didn't respond to my
email). I am interested to know more about it, and maybe the original
discoverer found other things as well...thanks
--
Kristian Hermansen <***@cisco.com>
Cisco Systems, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Etaoin Shrdlu
2005-06-09 15:06:19 UTC
Permalink
Post by Kristian Hermansen
Post by Nick FitzGerald
This has been known since Adam was a cowboy.
He's right, you know.
Post by Kristian Hermansen
Although I don't believe that your claim is unlikely, it would have been
nice to post a link to the original discovery to back it up.
This is just foolishness.
Post by Kristian Hermansen
Everyone
that I have showed this to, personally, has not seen it before. And,
after some google searching, I could not locate anyone else either that
talked about this -- the closest thing was an old Microsoft telnet
advisory that didn't mention this behavior specifically.
Link? Why would there be a "link" to show where the "original advisory"
was? You have just got to be kidding.
Post by Kristian Hermansen
With that said, I would like to ask anyone who has info about the
original discovery to please post it here (Nick didn't respond to my
email). I am interested to know more about it, and maybe the original
discoverer found other things as well...thanks
Original discovery??? Don't you work for Cisco? Try either the Stevenson or
Doug Comer 3-volume set on networking. That'd probably help. I realize that
there seem to be a *whole* bunch of folk that feel that FD is a playground
and learning environment. For those of us actually looking at it as an
early warning system, think of Nick as being a vocal representative of the
majority of more senior security people on the list.

Please, if your objective is to learn about the basics, do it *elsewhere*.

--
The command line is useful for people who like to communicate
with their computers with a *language*, GUIs are for people
who like to to communicate by *pointing and grunting*
So who's the Neanderthal? (J. J. Green)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Kristian Hermansen
2005-06-09 22:55:08 UTC
Permalink
Post by Etaoin Shrdlu
For those of us actually looking at it as an
early warning system, think of Nick as being a vocal representative of the
majority of more senior security people on the list.
OK. Fair enough, but at least some people found it "informative". The
technique described probably does affect many networking tools, as you
stated, but one should ask if this is a proper coding technique or not
(think secure code). The input does not map to the expected output --
and the user should have been told that the port number is out of range.
Otherwise, what if he thinks 65571 is a valid port after executing that
command? He may be naive, but shouldn't the telnet programmer let him
know that he is mistaken in his port choice?

As an analogy, it is also true that a C programmer could pull some nice
tricks to optimize his code, but that code may confuse another
programmer trying to understand it. This is a system, like anything
else, and things are based on give/take. I don't see why allowing this
to happen actually helps anyone but the telnet programmer -- because it
could confuse many users. That's my rant and I'm done -- the users who
did not know about this have been informed and that was the point of the
original notice. My apologies to the "elite", who sit so highly upon
their horses and throw flames down from above ;-)
--
Kristian Hermansen <***@cisco.com>
Cisco Systems, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Chris Umphress
2005-06-12 06:46:13 UTC
Permalink
Post by Kristian Hermansen
OK. Fair enough, but at least some people found it "informative". The
technique described probably does affect many networking tools, as you
stated, but one should ask if this is a proper coding technique or not
(think secure code). The input does not map to the expected output --
and the user should have been told that the port number is out of range.
Otherwise, what if he thinks 65571 is a valid port after executing that
command? He may be naive, but shouldn't the telnet programmer let him
know that he is mistaken in his port choice?
As an analogy, it is also true that a C programmer could pull some nice
tricks to optimize his code, but that code may confuse another
programmer trying to understand it. This is a system, like anything
else, and things are based on give/take. I don't see why allowing this
to happen actually helps anyone but the telnet programmer -- because it
could confuse many users.
Perhaps. If the user is using telnet (especially today), I would
generally assume they know a little bit about how their system works.
In today's world, sometimes we forget about memory and file size
optimizations. While telnet is not normally one of those files that
technicians try to cram onto their diagnostic Floppies/CDs, there
might be an occasion when it would be nice to save those few extra
bytes or kilobytes that these messages would take up.

While I don't disagree with you that user-friendly programs are nice,
there are times when other optimizations are favoured more.
--
Chris Umphress <http://daga.dyndns.org/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Devdas Bhagat
2005-06-11 17:53:29 UTC
Permalink
Post by Kristian Hermansen
Post by Nick FitzGerald
This has been known since Adam was a cowboy.
Although I don't believe that your claim is unlikely, it would have been
nice to post a link to the original discovery to back it up. Everyone
that I have showed this to, personally, has not seen it before. And,
Ask any C programmer what happens to integers that get incremented to
values greater than the maximum size they can contain. This wrapping
around of integers is known for a few years. You may also want to
understand the effect of passing a leading 0 in the field, particularly
when it comes to IP address obfuscation.

I hope this helps.

Devdas Bhagat
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Nick FitzGerald
2005-06-09 15:02:01 UTC
Permalink
Post by Kristian Hermansen
Post by Nick FitzGerald
This has been known since Adam was a cowboy.
Although I don't believe that your claim is unlikely, it would have been
nice to post a link to the original discovery to back it up. ...
It was never "originally discovered". All manner of commandline
parsing of text to numbers has been doing this in many places for quite
some time. I did not post a URL to back it up as I have no idea where
I first came across this and it was so long ago that the odds of that
source still being available to cite are probably pretty low and I have
better things to do with my time.
Post by Kristian Hermansen
... Everyone
that I have showed this to, personally, has not seen it before. ...
Maybe that says that something about the "everyones" you know, rather
than saying anything about this minor factoid?
Post by Kristian Hermansen
... And,
after some google searching, I could not locate anyone else either that
talked about this -- the closest thing was an old Microsoft telnet
advisory that didn't mention this behavior specifically.
I just did a few minutes Googling onlikely phrases and turned up
hundreds of hits. Haven't got time to wade through them to find which
are most relevant, but it seems many people have come across similar
issues in commandline parsing code "wrapping" when they parse strings
representing values larger than 65535 that are supposed to be unsigned
16-bit integers and many of those are in the context of specifying port
numbers for TCP/IP networking.
Post by Kristian Hermansen
With that said, I would like to ask anyone who has info about the
original discovery to please post it here (Nick didn't respond to my
email). ...
Sorry -- been busy but I intended to (I'll write separately and explain
those idiomatic and possibly anachronistic expressions you couldn't
parse...).
Post by Kristian Hermansen
... I am interested to know more about it, and maybe the original
discoverer found other things as well...thanks
This stuff goes back to the ark -- I doubt those guys give a toss about
this list and what is discussed here...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Stephen Blass
2005-06-08 18:39:32 UTC
Permalink
It is a buffer overflow of sorts when a fixed length integer (or real or
double) like the telnet port argument exceeds the expected range and
mods out to become equal to the remainder that is left when the highest
order bits that don't fit get thrown away. In the telnet port case it
may not be a real 'vulnerability' but it is a reasonably good example of
unchecked arguments allowing for unexpected behavior. In the telnet
port case the overly large port number has already been crammed into the
available bits by the time the code could check it anyway. So how would
one teach telnet to throw away bogus port arguments that are too big
then? What about with dotted quads whose parts exceed 255? You might
use string arguments but then you have to watch for string overflows
which have plagued us for years and occasionally still do.

That you can connect to a mail host on port 25 by typing telnet
mailhost 65561 is either interesting or unsettling depending on your
point of view. In either case it is probably worth understanding if
you're the security guru on site or you write network code.

-
Steve








-----Original Message-----
From: full-disclosure-***@lists.grok.org.uk
[mailto:full-disclosure-***@lists.grok.org.uk] On Behalf Of Richard
John L Contractor 611 ACF/SCO
Sent: Wednesday, June 08, 2005 9:20 AM
To: 'Full Disclosure'
Subject: RE: [Full-disclosure] Microsoft Windows and *nix Telnet Port
NumberArgument Obfuscation

I agree with the individual below...some of us are still new to this
vulnerability thing (I for one) and appreciate lurking hear and taking
it all in...as a matter of fact, I'd love to have the original poster,
re-post...I was talking to a few others who had no idea about this and
they'd love to see the article (which I'd deleted - for some reason???)

-----Original Message-----
From: full-disclosure-***@lists.grok.org.uk
[mailto:full-disclosure-***@lists.grok.org.uk]On Behalf Of Arjan van
der Velde
Sent: Wednesday, June 08, 2005 00:05
To: 'Andrew Haninger'; ***@virus-l.demon.co.uk
Cc: 'Full Disclosure'
Subject: RE: [Full-disclosure] Microsoft Windows and *nix Telnet Port
NumberArgument Obfuscation


Hi,

I like reading posts in here to learn from. It would be good not to be
too hostile against people asking questions you already know the answer
for or even have known it for ages already. If I were to ask a question
I would like to be educated or at least pointed in the right direction.
Some replies really discourage people from asking.

- Arjan


-----Original Message-----
From: full-disclosure-***@lists.grok.org.uk
[mailto:full-disclosure-***@lists.grok.org.uk] On Behalf Of Andrew
Haninger
Sent: Wednesday, June 08, 2005 9:08
To: ***@virus-l.demon.co.uk
Cc: Full Disclosure
Subject: Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port
NumberArgument Obfuscation
Post by Nick FitzGerald
This has been known since Adam was a cowboy.
Well, this /is/ full-disclosure, no? Best to tell than to withhold.

And while I would hope that there aren't a rash of old-school
vulnerabilities blowing through the list, I, for one, was unaware that
you could specify telnet ports like that. I wouldn't be surprised if I'm
not alone. Now I'll know what's up if I ever see stuff like this.

Though it does worry me a bit that this came from a @cisco.com address.
Shouldn't they be kind of *YAWN* about all things networking?

--
Andy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Atte Peltomaki
2005-06-09 08:04:06 UTC
Permalink
Post by Stephen Blass
That you can connect to a mail host on port 25 by typing telnet
mailhost 65561 is either interesting or unsettling depending on your
point of view. In either case it is probably worth understanding if
you're the security guru on site or you write network code.
Post by Nick FitzGerald
This has been known since Adam was a cowboy.
Well, this /is/ full-disclosure, no? Best to tell than to withhold.
I enjoyed reading this posting very much, because it was new information
to me, and to many others on this list it seems.

I did not enjoy at all reading mr. FitzGerald's abusive flame.
--
____________
\ ______// Atte Peltomäki - ***@F-Secure.com
\ \\____ IT Engineer - IT Server Team
\ __// F-Secure Corp. PL 24, FIN-00181 Helsinki, Finland
\ \\ Tel: +358 9 2520 0700, direct: +358 9 2520 5423
\ // http://www.F-Secure.com
\/ Integrated Solutions for Enterprise Security
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Nick FitzGerald
2005-06-10 00:58:36 UTC
Permalink
Post by Atte Peltomaki
I enjoyed reading this posting very much, because it was new information
to me, and to many others on this list it seems.
That's nice for you all, I'm sure...

I enjoy chocolate cake -- not just eating them, and _making_ chocolate
cakes (there goes my rep as a mean techno-geek...). However, reading
chocolate cake recipes here -- and pretty much any other chocolate cake
discussion than this -- would not be "enjoyable", as there is a time
and place for everthing, as F-D is not the place for chocolate cake,
nor for the bleeding obvious anyone out of nappies should know.
Post by Atte Peltomaki
I did not enjoy at all reading mr. FitzGerald's abusive flame.
Cough, plutter...

"flame"?

"abusive"?????

You must be just a child...
Post by Atte Peltomaki
____________
\ \\____ IT Engineer - IT Server Team
\ __// F-Secure Corp. PL 24, FIN-00181 Helsinki, Finland
\ \\ Tel: +358 9 2520 0700, direct: +358 9 2520 5423
\ // http://www.F-Secure.com
\/ Integrated Solutions for Enterprise Security
...yet I thought Finland had strong child-exploitation protection laws?

Hmmmmmm...

Go ask Mikko and Katrin about me, flaming and "abuse"...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Loading...