SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#341908

Multiple Telnet Clients vulnerable to buffer overflow via the env_opt_add() function in telnet.c

Overview

Multiple Telnet clients contain a data length validation flaw that may allow a malicious server to execute arbitrary code on the client host with privs of client.

I. Description

The Telnet network protocol is described in RFC854 and RFC855 as a general, bi-directional communications facility. The Telnet protocol is commonly used for command-line login sessions between Internet hosts.

Many Telnet clients are vulnerable to a buffer overflow condition.

The env_opt_add() function of telnet.c contains a 256-byte buffer that may be expanded to 512 bytes if needed. While checks are in place to ensure that the input buffer for this function is within the size allocated, the Telnet protocol may escape characters contained in the input buffer. If the number of characters escaped causes the resulting input to exceed the 512 byte allocated buffer, a heap overflow occurs.

Several Telnet clients derived from a variety of lineages are confirmed to be affected. Please review the "Systems Affected" section below, or consult with your vendor to determine if you are affected.

II. Impact

Exploitation of this vulnerability may permit a malicious server to execute arbitrary code with the privileges of the user that invoked the telnet client. An attacker would have to trick a victim into initiating a telnet connection using a vulnerable client. This may be accomplished with an HTML rendered email or web page, using the TELNET:// URI handler, however further user interaction may be required.

III. Solution

Apply a patch or upgrade as specified by your vendor.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Vulnerable1-Apr-2005
ConectivaVulnerable6-Jun-2005
Cray Inc.Unknown30-Mar-2005
DebianVulnerable4-Apr-2005
EMC CorporationUnknown30-Mar-2005
EngardeUnknown30-Mar-2005
F5 NetworksVulnerable3-May-2005
Fedora ProjectVulnerable4-Apr-2005
FreeBSDVulnerable30-Mar-2005
FujitsuUnknown30-Mar-2005
Gentoo LinuxVulnerable1-Apr-2005
HeimdalVulnerable21-Apr-2005
Hewlett-Packard CompanyUnknown30-Mar-2005
HitachiUnknown30-Mar-2005
IBMUnknown30-Mar-2005
IBM eServerUnknown30-Mar-2005
IBM zSeriesUnknown30-Mar-2005
ImmunixUnknown30-Mar-2005
Ingrian NetworksUnknown30-Mar-2005
Juniper NetworksUnknown30-Mar-2005
MandrakeSoftVulnerable7-Apr-2005
Microsoft CorporationNot Vulnerable1-Apr-2005
MIT Kerberos Development TeamVulnerable30-Mar-2005
MontaVista SoftwareUnknown30-Mar-2005
NEC CorporationUnknown30-Mar-2005
NetBSDUnknown30-Mar-2005
NokiaUnknown30-Mar-2005
NovellUnknown30-Mar-2005
OpenBSDVulnerable7-Apr-2005
Openwall GNU/*/LinuxVulnerable30-Mar-2005
Red Hat Inc.Vulnerable28-Jul-2005
SCO LinuxUnknown30-Mar-2005
SCO UnixVulnerable14-Apr-2005
SequentUnknown30-Mar-2005
SGIVulnerable27-Apr-2005
Sony CorporationUnknown30-Mar-2005
Sun Microsystems Inc.Vulnerable14-Apr-2005
SuSE Inc.Unknown30-Mar-2005
TurboLinuxUnknown30-Mar-2005
UnisysUnknown30-Mar-2005
WRSUnknown30-Mar-2005

References

http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
http://secunia.com/advisories/14745/
http://web.mit.edu/kerberos/www/...s/MITKRB5-SA-2005-001-telnet.txt
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1
http://www.auscert.org.au/5134

Credit

Thanks to iDEFENSE Labs for reporting this vulnerability.

This document was written by Robert Mead and Jason Rafail, and is based on information in iDefense's advisory.

Other Information

Date Public:2005-03-28
Date First Published:2005-04-01
Date Last Updated:2005-07-28
CERT Advisory: 
CVE-ID(s):CAN-2005-0468
NVD-ID(s):CAN-2005-0468
US-CERT Technical Alerts: 
Severity Metric:29.95
Document Revision:28

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader