Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

telnetd exploit

Is there a CS IDS signature for the telnetd exploit described in CERT Advisory CA-2001-21 "Buffer Overflow in telnetd"?

Cisco Employee

Re: telnetd exploit

This is not currently detected in version 2.5(1)S3.

Our development team is working on creating a signature to detect this exploit.

Community Member

Re: telnetd exploit

TelnetD exploit Snort Rull Set.


alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (flags: A+; content: "|0D0A|[Yes]|0D0A FFFE 08FF FD26|"; msg: "TESO *BSD Telnet exploit query response"; classtype: attempted-admin; sid: 1252; rev: 2; reference: bugtraq,3064; reference:cve,CAN-2001-0554;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (flags: A+; dsize: >200; content: "|FF F6 FF F6 FF FB 08 FF F6|"; offset: 200; depth: 50; msg: "TESO *BSD Telnet client exploit finishing"; classtype: successful-admin; sid: 1253; rev: 2; reference: bugtraq,3064; reference:cve,CAN-2001-0554;)

Cisco Employee

Re: telnetd exploit

Jul 27, 2001, 1:20pm Pacific

The following instructions provide a guide for adding a custom signature to your Cisco IDS 3.0 sensor using the Signature Wizard tool. This signature will be included in an upcoming signature update.

Cisco IDS 3.0 is currently available at Software Center on CCO (

). The upgrade paths are as follows:

2.2.1 sensor --> 3.0 sensor:

CD upgrade to 2.5, CCO download of service pack 2.5(0)S1, CCO download of 3.0. (The upgrade CD that will enable a direct upgrade from 2.2.1 to 3.0 will be available shortly)

2.5 sensor --> 3.0 sensor:

CCO download.


The latest versions of CSPM & the Unix Director are 2.3.1i & 2.2.2a, respectively.

########## Critical Signature Update ###############

The Cisco security research team has released the following custom

signature to provide immediate coverage to customers of the Cisco Secure

Intrusion Detection System.

Vulnerability: BSD Telnet Daemon Buffer Overflow

Date: July 27, 2001

A buffer overflow condition was recently discovered in telnet daemons derived

from the BSD (Berkeley) telnet source. By exploiting this vulnerability, remote

attackers can completely compromise the security of a system. This vulnerability

has been widely publicized and exploit tools are available on the Internet.

For more information about this vulnerability, please consult the Cisco Secure

Encyclopedia entry listed below:

######### Adding the Custom Signature ###############

Note: The following instructions provide a guide for adding a custom signature

to your CSIDS 3.0 sensor using the Signature Wizard tool. It is recommended

that you read the Signature Wizard documentation before adding any custom

signatures to your sensor. Online documentation can be found at:

Log into your sensor as the user 'netrangr'. From the command prompt, type

'SigWizMenu' and follow the guide below.

Main Menu:

a) Select option 2 to create new custom signature.

Add NEW Custom Signature:

a) Select option 1, and set the Engine Name to STRING.TCP (choice 16).

b) Select option 2 to generate a SIGID.

c) Select option 4, and set the Signature Name to

'BSD Telnet Daemon Buffer Overflow'.

d) Select option 5 to continue.

Adjust Alarm Severity and Action:

a) Select option 5 to set the Alarm Severity to 5.

1) Select an option to choose the desired action.

2) Select option x to continue.

b) Select option x to continue.


a) Select option 1, and set the AlarmThrottle to 'FireOnce'.

b) Select option 3, and set the Direction to 'ToService'.

c) Select option 7, and set the MinMatchLength to '500'.

d) Select option 9, and set the RegexString to:


e) Select option 11, and set the ServicePorts to '23'.

f) Select option 14, and set the SigStringInfo to 'telnetd buffer overflow'.

g) Select option x to continue.

After completing the steps above, your screen to should look like this.

1 - AlarmThrottle = FireOnce

2 - ChokeThreshold =

3 - Direction = ToService

4 - FlipAddr =

5 - MaxInspectLength =

6 - MinHits = 1

7 - MinMatchLength = 500

8 - MultipleHits =

9 * RegexString = \xFF\xFA\x27\x00\x03(\x30){5,}[\x01-\xFF\x00]+\xFF\xF0

10 - ResetAfterIdle = 15

11 - ServicePorts = 23

12 - SigComment =

13 - SigName = BSD Telnet Daemon BufferOverflow

14 - SigStringInfo = telnetd buffer overflow

15 - StripTelnetOptions =

16 - ThrottleInterval = 15

17 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

Exit and Save:

a) Press enter to return to the main menu.

b) Select x to exit.

c) Select y to save the signature and exit.

After exiting SigWizMenu, you should have something like the following.

In /usr/nr/etc/SigUser.conf:

Engine STRING.TCP SIGID 20000 AlarmThrottle FireOnce Direction ToService MinHits

1 MinMatchLength 500 RegexString \xFF\xFA\x27\x00\x03(\x30){5,}[\x01-\xFF\x00]+

\xFF\xF0 ResetAfterIdle 15 ServicePorts 23 SigName BSD Telnet Daemon BufferOverf

low SigStringInfo telnetd buffer overflow ThrottleInterval 15

In /usr/nr/etc/SigSettings.conf:

SigOfGeneral 20000 6 5 5 5 5 5 5 5

CreatePlease to create content