MITKRB5-SA-2005-001: buffer overflows in telnet client
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5 Security Advisory 2005-001
Original release: 2005-03-28
Topic: Buffer overflows in telnet client
Severity: serious
SUMMARY
=======
The telnet client program supplied with MIT Kerberos 5 has buffer
overflows in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.
IMPACT
======
An attacker controlling or impersonating a telnet server may execute
arbitrary code with the privileges of the user running the telnet
client. The attacker would need to convince the user to connect to a
malicious server, perhaps by automatically launching the client from a
web page. Additional user interaction may not be required if the
attacker can get the user to view HTML containing an IFRAME tag
containing a "telnet:" URL pointing to a malicious server.
AFFECTED SOFTWARE
=================
* telnet client programs included with the MIT Kerberos 5
implementation, up to and including release krb5-1.4.
* Other telnet client programs derived from the BSD telnet
implementation may be vulnerable.
FIXES
=====
* WORKAROUND: Disable handling of "telnet:" URLs in web browsers,
email readers, etc., or remove execute permissions from the telnet
client program.
* The upcoming krb5-1.4.1 patch release will contain fixes for this
problem.
* Apply the patch found at:
http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc
The patch was generated against the krb5-1.4 release. It may apply
against earlier releases with some offset.
REFERENCES
==========
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
CVE: CAN-2005-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
[IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
CVE: CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
ACKNOWLEDGMENTS
===============
Thanks to iDEFENSE for notifying us of these vulnerabilities, and for
providing useful feedback.
DETAILS
=======
The slc_add_reply() function in telnet.c performs inadequate length
checking. By sending a carefully crafted telnet LINEMODE suboption
string, a malicious telnet server may cause a telnet client to
overflow a fixed-size data segment or BSS buffer and execute arbitrary
code.
The env_opt_add() function in telnet.c performs inadequate length
checking. By sending a carefully crafted telnet NEW-ENVIRON suboption
string, a malicious telnet server may cause a telnet client to
overflow a heap buffer and execute arbitrary code.
REVISION HISTORY
================
2005-03-28 original release
Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)
iQCVAwUBQkiLWqbDgE/zdoE9AQFSsgQAua79YPzliPsWCnWTBWNkk9DZnME4RYNu
lmBkFlM2u/zaEAKQaml8QJ8k3TQ5WB0GztqSOEIWuG5ZahyOZQefrGCCHuD2JKFZ
g4q6PNM7dvbUCBB9HcR+GHlgr+01ofMjVuhhZ8Rj0icqCs5MojP5+0VSqr94w1zv
MS06L8DXn00=
=LT9x
-----END PGP SIGNATURE-----