<<< Date Index >>>     <<< Thread Index >>>

MITKRB5-SA-2005-001: buffer overflows in telnet client

-----BEGIN PGP SIGNED MESSAGE-----

                 MIT krb5 Security Advisory 2005-001

Original release: 2005-03-28

Topic: Buffer overflows in telnet client

Severity: serious

SUMMARY
=======

The telnet client program supplied with MIT Kerberos 5 has buffer
overflows in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.

IMPACT
======

An attacker controlling or impersonating a telnet server may execute
arbitrary code with the privileges of the user running the telnet
client.  The attacker would need to convince the user to connect to a
malicious server, perhaps by automatically launching the client from a
web page.  Additional user interaction may not be required if the
attacker can get the user to view HTML containing an IFRAME tag
containing a "telnet:" URL pointing to a malicious server.

AFFECTED SOFTWARE
=================

* telnet client programs included with the MIT Kerberos 5
  implementation, up to and including release krb5-1.4.

* Other telnet client programs derived from the BSD telnet
  implementation may be vulnerable.

FIXES
=====

* WORKAROUND: Disable handling of "telnet:" URLs in web browsers,
  email readers, etc., or remove execute permissions from the telnet
  client program.

* The upcoming krb5-1.4.1 patch release will contain fixes for this
  problem.

* Apply the patch found at:

  http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc

  The patch was generated against the krb5-1.4 release.  It may apply
  against earlier releases with some offset.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities

CVE: CAN-2005-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

[IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities

CVE: CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

ACKNOWLEDGMENTS
===============

Thanks to iDEFENSE for notifying us of these vulnerabilities, and for
providing useful feedback.

DETAILS
=======

The slc_add_reply() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet LINEMODE suboption
string, a malicious telnet server may cause a telnet client to
overflow a fixed-size data segment or BSS buffer and execute arbitrary
code.

The env_opt_add() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet NEW-ENVIRON suboption
string, a malicious telnet server may cause a telnet client to
overflow a heap buffer and execute arbitrary code.

REVISION HISTORY
================

2005-03-28      original release

Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQkiLWqbDgE/zdoE9AQFSsgQAua79YPzliPsWCnWTBWNkk9DZnME4RYNu
lmBkFlM2u/zaEAKQaml8QJ8k3TQ5WB0GztqSOEIWuG5ZahyOZQefrGCCHuD2JKFZ
g4q6PNM7dvbUCBB9HcR+GHlgr+01ofMjVuhhZ8Rj0icqCs5MojP5+0VSqr94w1zv
MS06L8DXn00=
=LT9x
-----END PGP SIGNATURE-----