The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Telnet Client env_opt_add() and slc_add_reply() Buffer Overflow
------------------------------------------------------------------------
SUMMARY
The TELNET protocol "allows virtual network terminals to be connected to
over the Internet. The initial description of the telnet protocol was
given in RFC854 in May 1983. Since then there have been many extra
features added including encryption".
Remote exploitation of two buffer overflow vulnerability in multiple
telnet clients could allow the execution of arbitrary code.
DETAILS
Vulnerable Systems:
* Telnet Client provided with Kerberos V5 Release 1.3.6
* Telnet Client provided with SUNWtnetc package of Solaris 5.9
slc_add_reply() Vulnerability:
The vulnerability specifically exists in the handling of the LINEMODE
suboptions, in that there is no size check made on the output, which is
stored in a fixed length buffer. By sending a specially constructed reply
containing a large number of SLC (Set Local Character) commands, it is
possible to overflow this buffer with server supplied data.
Proof of Concept for slc_add_reply():
The following one-liner can be used to trigger this overflow:
perl -e 'print "\377", "\372\42\3\377\377\3\3" x 43, "\377\360"' | nc -l 2
This results in 300 bytes written into the 128-byte buffer. On Owl (telnet
client derived from OpenBSD 3.0), the effect was that the escape character
('^]') stopped working. Other than that, the client proceeded to work as
usual. Indeed, with the patch this effect is gone.
env_opt_add() Vulnerability:
The vulnerability specifically exists in the env_opt_add() function of
telnet.c. A buffer of a fixed size (256 bytes) is allocated to store the
result of the processing this function performs on network input. If this
buffer is not large enough to contain the string, the buffer is expanded
by a further 256 bytes. This size is sufficient for most well formed
input, as the buffer passed as input to the affected function is limited
to the same size. However, due to the way the telnet protocol escapes
certain characters, it is possible to increase the length of the output by
including a large run of characters which need escaping. This can allow
the 256 byte input buffer to expand to a maximum of 512 bytes in the
allocated storage buffer. If, after expanding the buffer by 256 bytes, the
buffer is still not large enough to contain the input, a heap based buffer
overflow occurs, which is exploitable on at least some affected platforms.
Vendor response:
The following vendors have provided official responses related to this
vulnerability. Other vendors may be affected but have not provided an
official response.
Vulnerable:
- ALT Linux
All supported ALT Linux distributions include telnet client derived from
OpenBSD 3.0. The env_opt_add() buffer overflow vulnerability is present in
all our telnet clients. Updated packages with fixes for these issues will
be released on March 28, 2005.
<http://lists.altlinux.ru/pipermail/security-announce/2005-March/000287.html>
http://lists.altlinux.ru/pipermail/security-announce/2005-March/000287.html
- Apple Computer, Inc.
Component: Telnet
Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8
This is fixed in Security Update 2005-003, which is available at
<http://docs.info.apple.com/article.html?artnum=61798>
http://docs.info.apple.com/article.html?artnum=61798
- FreeBSD
FreeBSD-SA-05:01.telnet security advisory:
<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc>
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
- MIT (Kerberos)
This vulnerability is covered in the following upcoming advisory:
MITKRB5-SA-2005-001:
<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt>
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
patch against krb5-1.4:
<http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt>
http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt
- Openwall Project
The bugs are fixed starting with telnet package version 3.0-owl2.
<http://www.openwall.com/Owl/CHANGES-current.shtml>
http://www.openwall.com/Owl/CHANGES-current.shtml
- Red Hat, Inc.
Red Hat Enterprise Linux ship with telnet and krb5 packages vulnerable to
this issue. New telnet and krb5 packages are now available along with our
advisory at the URLs below and by using the Red Hat Network 'up2date'
tool.
Red Hat Enterprise Linux - telnet
<http://rhn.redhat.com/errata/RHSA-2005-330.html>
http://rhn.redhat.com/errata/RHSA-2005-330.html
Red Hat Enterprise Linux - krb5
<http://rhn.redhat.com/errata/RHSA-2005-327.html>
http://rhn.redhat.com/errata/RHSA-2005-327.html
- Sun Microsystems Inc.
Sun confirms that the telnet(1) vulnerabilities do affect all currently
supported versions of Solaris:
Solaris 7, 8, 9 and 10
Sun has released a Sun Alert which describes a workaround until patches
are available at: <http://sunsolve.sun.com> http://sunsolve.sun.com (Sun
Alert #57755)
The Sun Alert will be updated with the patch information once it becomes
available. Sun patches are available from:
<http://sunsolve.sun.com/securitypatch>
http://sunsolve.sun.com/securitypatch
Not Vulnerable:
- CyberSafe Limited
The CyberSafe TrustBroker products, version 3.0 or later, are not
vulnerable.
- Hewlett-Packard Development Company, L.P.
HP-UX and HP Tru64 UNIX are not vulnerable.
- InterSoft International, Inc.
InterSoft International, Inc. products NetTerm, SecureNetTerm and SNetTerm
are not affected by the env_opt_add() buffer overflow conditions.
Analysis for both vulnerabilities:
In order to exploit this vulnerability, an attacker would need to convince
the user to connect to their malicious server. It may be possible to
automatically launch the telnet command from a webpage, for example:
< html><body>
< iframe src='telnet://malicious.server/'>
</body>
On opening this page the telnet client may be launched and attempt to
connect to the host 'malicious.server'.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468>
CAN-2005-0468
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469>
CAN-2005-0469
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
