Telnet Client NEW-ENVIRON Command Discloses Information to Remote Users
SecurityTracker Alert ID: 1014203|
SecurityTracker URL: http://securitytracker.com/id/1014203
(Links to External Site)
Updated: Jul 7 2008|
Original Entry Date: Jun 14 2005
Disclosure of system information, Disclosure of user information|
iDEFENSE reported a vulnerability in several Telnet client implementations. A remote user may be able to obtain information from the target user's environment.|
Some client implementations do not properly control access to the NEW-ENVIRON command. A remote server can send a specially crafted command to a connected client to obtain the contents of specified environment variables.
A demonstration exploit command is provided:
SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE
Several vendors were notified on February 18, 2005.
The original advisory is available at:
CVE-2005-0488 and CVE-2005-1205 are assigned to this vulnerability. The CVE-2005-1205 number refers to Microsoft's Telnet implementation.
A remote user can obtain the contents of known environment variables on the target user's system.|
Several vendors have issued fixes. Separate alerts will be issued to address individual vendor corrections.|
Access control error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: iDEFENSE Security Advisory 06.14.05: Multiple Vendor Telnet Client|
Multiple Vendor Telnet Client Information Disclosure Vulnerability
iDEFENSE Security Advisory 06.14.05
June 14, 2005
The TELNET protocol allows virtual network terminals to be connected to
over the internet. The initial description of the telnet protocol was
given in RFC854 in May 1983. Since then there have been many extra
features added including encryption.
Remote exploitation of an input validation error in multiple telnet
clients could allow an attacker to gain sensitive information about the
The vulnerability specifically exists in the handling of the NEW-ENVIRON
In order to exploit this vulnerability, a malicious server can send a
connected client the following telnet command:
SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE
Vulnerable telnet clients will send the contents of the reference
environment variable, which may contain information useful to an
attacker. The expected behavior would be only to send environment
variables related directly to the operation of the telnet client (for
example, TERM), or those specifically allowed by the user.
Successful exploitation of the vulnerability would allow an attacker to
read the values of arbitrary environment variables. By itself this
vulnerability is not a large threat, but exploiting this vulnerability
may give an attacker more information about a targeted system, which
could allow more effective attacks.
In order to exploit this vulnerability, an attacker would need to
convince the user to connect to their malicious server. It may be
possible to automatically launch the telnet command from a web page, for
On opening this page the telnet client may be launched and attempt to
connect to the host 'malicious.server'.
iDEFENSE has confirmed the existence of the vulnerability in version
5.1.2600.2180 of the Microsoft Telnet Client, the telnet client included
in the Kerberos V5 Release 1.3.6 package and the client included in the
SUNWtnetc package of Solaris 5.9. It is suspected that most BSD based
telnet clients are affected by this vulnerability. The telnet client
from the netkit-telnet package distributed with all current versions of
Redhat Linux contains a patch for this vulnerability, introduced in
early 2000. Some other distributions may also contain this patch. There
does not appear to have been a security advisory released at the time
the patch was added, nor does there appear to be an entry in the
Bugzilla database. This issue appears to have been mentioned in passing
in RHSA-2000-028, in relation to a vulnerability in Netscape.
For Windows based platforms, disabling the Telnet handler or specifying
a different application to handle Telnet URL's can mitigate URL based
attacks. This can be accomplished by removing or modifying the following
This workaround should prevent automatic exploitation attempts. It does
not fix the underlying issue.
iDEFENSE is currently unaware of any workarounds for this issue for other
VI. VENDOR RESPONSE
- Microsoft Corp.
Microsoft has investigated this issue. We have released an update to
address this concern. For more information, visit the following Web
- MIT Kerberos
The MIT Kerberos Development Team believes that the telnet client in our
distribution behaves as intended with regards to its handling of the
NEW-ENVIRON option. We do not feel that disclosure of user environment
variable settings constitutes a significant exposure.
We are willing to consider patches which implement an option to restrict
or disable the transmission of environment variables by the telnet
- Sun Microsystems, Inc.
Sun Microsystems, Inc. can confirm that Solaris and the SEAM product are
affected by this issue. The impact, contributing factors and patch
details are available in Sun Alert 57755 for Solaris which is available
and Sun Alert 57761 for SEAM which is available here:
- SUSE LINUX
The updates will be released on the coordinated release date. Customers
of SUSE LINUX can download the package by using YOU or directly via FTP
from our servers.
- ALT Linux
ALT Linux is not vulnerable to the telnet environment variable
disclosure since February of 2002, due to our inclusion of the Red Hat
Linux derived patch from Openwall GNU/*/Linux.
- CyberSafe Ltd.
The TrustBroker Secure Connection Utilities and TrustBroker Secure
Connection Services, version 5.6.1 or later, are not effected by this
vulnerability. If you are using earlier releases of these products you
need to upgrade.
- Openwall Project
Openwall GNU/*/Linux is not vulnerable to the telnet environment
variable disclosure, and it never was due to our inclusion of the Red
Hat Linux derived patch in the very first publicly available version of
our telnet package (which was in other aspects based off the code found
in OpenBSD 3.0). It is, however, worth noting that the unsafe
environment variable disclosure was in fact documented in the BSD telnet
client manual page. Thus, now that this issue has been revisited, we
have reworked the environment variable restrictions patch to have our
documentation in sync with the actual behavior.
Ubuntu supports and ships netkit-telnet, which has been patched to not
disclose arbitrary environment variables for a long time now. The krb5
version is also available in the archive, however, it is unsupported and
there will not be an official advisory for it. It will most likely be
fixed by the community.
- WRQ, Inc.
No versions of the WRQ Reflection for the Web Telnet clients are
vulnerable as they return very limited terminal information in response
to the NEW_ENVIRONMENT command and use dynamically-sized buffering.
Security update and advisory information for WRQ Reflection for the Web
can be found at:
No versions of the WRQ Reflection Telnet, TN3270, TN3270E, TN5250 or
Kerberized Telnet clients are vulnerable as they are not based on either
the BSD or MIT Telnet clients and use Microsoft Windows memory
management routines along with compile-time buffer overflow protection.
Security update and advisory information for WRQ Reflection products can
be found at:
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0488 to this issue. The CVE Project has also assigned
CAN-2005-1205 to identify this issue in Microsoft products. A separate
CVE number was issued for Microsoft due to the differing code base used.
These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.
Additionally, CERT has issued VU#800829 for this vulnerability.
VIII. DISCLOSURE TIMELINE
02/18/2005 Initial vendor notification
06/14/2005 Coordinated public disclosure
Get paid for vulnerability research
Free tools, research and upcoming events
X. LEGAL NOTICES
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email firstname.lastname@example.org for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
Go to the Top of This SecurityTracker Archive Page