From labs-no-reply@idefense.com Mon Mar 28 15:25:27 2005 From: iDEFENSE Labs To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Mon, 28 Mar 2005 13:10:17 -0500 Subject: iDEFENSE Security Advisory 03.28.05: Multiple Telnet Client env_opt_add() Buffer Overflow Vulnerability Multiple Telnet Client env_opt_add() Buffer Overflow Vulnerability iDEFENSE Security Advisory 03.28.05 www.idefense.com/application/poi/display?id=221&type=vulnerabilities March 28, 2005 I. BACKGROUND The TELNET protocol allows virtual network terminals to be connected to over the internet. The initial description of the telnet protocol was given in RFC854 in May 1983. Since then there have been many extra features added including encryption. II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in multiple telnet clients could allow the execution of arbitrary code. The vulnerability specifically exists in the env_opt_add() function of telnet.c. A buffer of a fixed size (256 bytes) is allocated to store the result of the processing this function performs on network input. If this buffer is not large enough to contain the string, the buffer is expanded by a further 256 bytes. This size is sufficient for most well formed input, as the buffer passed as input to the affected function is limited to the same size. However, due to the way the telnet protocol escapes certain characters, it is possible to increase the length of the output by including a large run of characters which need escaping. This can allow the 256 byte input buffer to expand to a maximum of 512 bytes in the allocated storage buffer. If, after expanding the buffer by 256 bytes, the buffer is still not large enough to contain the input, a heap based buffer overflow occurs, which is exploitable on at least some affected platforms. III. ANALYSIS Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands in the context of the user who launched the telnet client. In order to exploit this vulnerability, an attacker would need to convince the user to connect to their malicious server. It may be possible to automatically launch the telnet command from a webpage, for example: