Vulnerability Note VU#291924

Multiple Telnet clients fail to properly handle the "LINEMODE" SLC suboption

Overview

Multiple Telnet clients contain a data length validation flaw which may allow a server to induce arbitrary code execution on the client host.

I. Description

The Telnet network protocol is described in RFC854 and RFC855 as a general, bi-directional communications facility. The Telnet protocol is commonly used for command line login sessions between Internet hosts.

Many Telnet client implementations may be vulnerable to a flaw which may allow arbitrary code to be executed on the connected client. The Telnet server may supply a specially crafted reply containing a larger number of RFC1184 LINEMODE "Set Local Character" (SLC) suboption commands, which are not checked for proper length before being stored into a fixed length buffer. Affected Telnet clients possibly include the BSD Telnet implementation and the MIT Kerberos distribution.

The Telnet LINEMODE mode is enabled by default in a majority of modern Telnet clients and servers, and is often negotiated automatically before user input is required. Therefore, an attacker may be able to launch a vulnerable client, for example, through commands embedded in web pages such as an IFRAME with a "telnet:" URL, and exploit this flaw requiring only minimal or no user interaction.

II. Impact

A remote server may be able to execute arbitrary code under the permissions of the user running the Telnet client on the local host.

III. Solution

Apply an update from your vendor

Patches, updates, and fixes are available from multiple vendors.
As a workaround, the client may explicitly disable the LINEMODE mode before connecting in order to prevent LINEMODE command processing. In addition, as a best practice clients should never connect to unknown servers.

Systems Affected

Vendor	Status	Date Updated
Apple Computer, Inc.	Vulnerable	1-Apr-2005
Cray Inc.	Unknown	29-Mar-2005
Debian Linux	Vulnerable	29-Mar-2005
EMC Corporation	Unknown	29-Mar-2005
Engarde	Unknown	29-Mar-2005
F5 Networks, Inc.	Vulnerable	2-May-2005
FreeBSD, Inc.	Unknown	29-Mar-2005
Fujitsu	Unknown	29-Mar-2005
Hitachi	Unknown	29-Mar-2005
HP	Unknown	29-Mar-2005
IBM Corporation	Unknown	29-Mar-2005
IBM eServer	Unknown	29-Mar-2005
IBM zSeries	Unknown	29-Mar-2005
Immunix	Unknown	29-Mar-2005
Ingrian Networks, Inc.	Unknown	29-Mar-2005
Juniper Networks, Inc.	Unknown	29-Mar-2005
Mandriva, Inc.	Vulnerable	1-Apr-2005
Mandriva, Inc.	Unknown	29-Mar-2005
Microsoft Corporation	Not Vulnerable	1-Apr-2005
MiT Kerberos Development Team	Vulnerable	29-Mar-2005
MontaVista Software, Inc.	Unknown	29-Mar-2005
NEC Corporation	Unknown	29-Mar-2005
NetBSD	Unknown	29-Mar-2005
Nokia	Unknown	29-Mar-2005
Novell, Inc.	Unknown	29-Mar-2005
OpenBSD	Unknown	29-Mar-2005
Openwall GNU/*/Linux	Unknown	29-Mar-2005
Red Hat, Inc.	Vulnerable	22-Dec-2005
Sequent Computer Systems, Inc.	Unknown	29-Mar-2005
SGI	Unknown	29-Mar-2005
Sony Corporation	Unknown	29-Mar-2005
Sun Microsystems, Inc.	Vulnerable	29-Mar-2005
SUSE Linux	Unknown	29-Mar-2005
The SCO Group (SCO Linux)	Unknown	29-Mar-2005
The SCO Group (SCO Unix)	Unknown	29-Mar-2005
TurboLinux	Unknown	29-Mar-2005
Unisys	Unknown	29-Mar-2005
Wind River Systems, Inc.	Unknown	8-Aug-2005

References

http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
https://rhn.redhat.com/errata/RHSA-2005-327.html
http://secunia.com/advisories/14745/
http://web.mit.edu/kerberos/www/...s/MITKRB5-SA-2005-001-telnet.txt
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1
http://www.auscert.org.au/5134

Credit

Thanks to iDEFENSE Labs for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

Date Public	03/28/2005
Date First Published	03/29/2005 06:01:41 PM
Date Last Updated	12/22/2005
CERT Advisory
CVE Name	CVE-2005-0469
US-CERT Technical Alerts
Metric	12.60
Document Revision	29

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader