SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Telnet Vendors:   MIT
(MIT Issues Fix for Kerberos) Telnet Client Buffer Overflow in slc_add_reply() and env_opt_add() Lets Remote Servers Execute Arbitrary Code
SecurityTracker Alert ID:  1013601
SecurityTracker URL:  http://securitytracker.com/id/1013601
CVE Reference:   CVE-2005-0468, CVE-2005-0469   (Links to External Site)
Date:  Mar 30 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4 and prior versions
Description:   iDEFENSE reported two buffer overflow vulnerabilities in Telnet, affecting several vendor implementations. A remote server can execute arbitrary code on a connected target user's client. MIT Kerberos is affected.

A remote telnet server can send a large number of specially crafted LINEMODE Set Local Character (SLC) commands to trigger an overflow in the slc_add_reply() function.

Solar Designer has provided the following demonstration exploit:

perl -e 'print "\377", "\372\42\3\377\377\3\3" x 43, "\377\360"' | nc -l 23

A remote server can also return specially crafted characters that will be escaped by the target user's client, overflowing a buffer in the env_opt_add() function.

Arbitrary code can be executed with the privileges of the target user.

Several telnet client implementations are affected.

The vendors were notified on February 18, 2005.

The original advisories are available at:

http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities

Impact:   A remote server can execute arbitrary code on a connected target user's system with the privileges of the target user.
Solution:   The vendor has released a patch, available at:

http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc

Vendor URL:  web.mit.edu/kerberos/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 28 2005 Telnet Client Buffer Overflow in slc_add_reply() and env_opt_add() Lets Remote Servers Execute Arbitrary Code



 Source Message Contents

Subject:  MITKRB5-SA-2005-001: buffer overflows in telnet client


-----BEGIN PGP SIGNED MESSAGE-----

                 MIT krb5 Security Advisory 2005-001

Original release: 2005-03-28

Topic: Buffer overflows in telnet client

Severity: serious

SUMMARY
=======

The telnet client program supplied with MIT Kerberos 5 has buffer
overflows in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.

IMPACT
======

An attacker controlling or impersonating a telnet server may execute
arbitrary code with the privileges of the user running the telnet
client.  The attacker would need to convince the user to connect to a
malicious server, perhaps by automatically launching the client from a
web page.  Additional user interaction may not be required if the
attacker can get the user to view HTML containing an IFRAME tag
containing a "telnet:" URL pointing to a malicious server.

AFFECTED SOFTWARE
=================

* telnet client programs included with the MIT Kerberos 5
  implementation, up to and including release krb5-1.4.

* Other telnet client programs derived from the BSD telnet
  implementation may be vulnerable.

FIXES
=====

* WORKAROUND: Disable handling of "telnet:" URLs in web browsers,
  email readers, etc., or remove execute permissions from the telnet
  client program.

* The upcoming krb5-1.4.1 patch release will contain fixes for this
  problem.

* Apply the patch found at:

  http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc

  The patch was generated against the krb5-1.4 release.  It may apply
  against earlier releases with some offset.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities

CVE: CAN-2005-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

[IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities

CVE: CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

ACKNOWLEDGMENTS
===============

Thanks to iDEFENSE for notifying us of these vulnerabilities, and for
providing useful feedback.

DETAILS
=======

The slc_add_reply() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet LINEMODE suboption
string, a malicious telnet server may cause a telnet client to
overflow a fixed-size data segment or BSS buffer and execute arbitrary
code.

The env_opt_add() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet NEW-ENVIRON suboption
string, a malicious telnet server may cause a telnet client to
overflow a heap buffer and execute arbitrary code.

REVISION HISTORY
================

2005-03-28      original release

Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQkiLWqbDgE/zdoE9AQFSsgQAua79YPzliPsWCnWTBWNkk9DZnME4RYNu
lmBkFlM2u/zaEAKQaml8QJ8k3TQ5WB0GztqSOEIWuG5ZahyOZQefrGCCHuD2JKFZ
g4q6PNM7dvbUCBB9HcR+GHlgr+01ofMjVuhhZ8Rj0icqCs5MojP5+0VSqr94w1zv
MS06L8DXn00=
=LT9x
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC