Telnetd Version


Most versions of SGI's IRIX telnet daemon (telnetd) are vulnerable to an exploit that could lead to remote root access.

The problem

There is a format string vulnerability in the telnet daemon (telnetd) found on IRIX systems. telnetd calls the syslog function when the client requests to set a certain type of environment variable. The format string used with the syslog call is partially supplied by the telnet client. By supplying a specially crafted variable/value pair, a remote user can cause the program to be redirected to arbitrary code.

Exploitation of this vulnerability could allow remote root access to the system. IRIX 6.2 through IRIX 6.5.8 are affected by this vulnerability. IRIX 5.2 through IRIX 6.1 are affected only if the 1010/1020 security patch was applied.


As of 14 August 2000, SGI has not provided a patch for this problem. The workarounds include:


CVE Reference(s):