From tlyu@MIT.EDU Tue Mar 29 16:02:15 2005 From: Tom Yu To: bugtraq@securityfocus.com Date: Mon, 28 Mar 2005 18:17:53 -0500 Subject: MITKRB5-SA-2005-001: buffer overflows in telnet client -----BEGIN PGP SIGNED MESSAGE----- MIT krb5 Security Advisory 2005-001 Original release: 2005-03-28 Topic: Buffer overflows in telnet client Severity: serious SUMMARY ======= The telnet client program supplied with MIT Kerberos 5 has buffer overflows in the functions slc_add_reply() and env_opt_add(), which may lead to remote code execution. IMPACT ====== An attacker controlling or impersonating a telnet server may execute arbitrary code with the privileges of the user running the telnet client. The attacker would need to convince the user to connect to a malicious server, perhaps by automatically launching the client from a web page. Additional user interaction may not be required if the attacker can get the user to view HTML containing an IFRAME tag containing a "telnet:" URL pointing to a malicious server. AFFECTED SOFTWARE ================= * telnet client programs included with the MIT Kerberos 5 implementation, up to and including release krb5-1.4. * Other telnet client programs derived from the BSD telnet implementation may be vulnerable. FIXES ===== * WORKAROUND: Disable handling of "telnet:" URLs in web browsers, email readers, etc., or remove execute permissions from the telnet client program. * The upcoming krb5-1.4.1 patch release will contain fixes for this problem. * Apply the patch found at: http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc The patch was generated against the krb5-1.4 release. It may apply against earlier releases with some offset. REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html [IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities CVE: CAN-2005-0469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 [IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities CVE: CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 ACKNOWLEDGMENTS =============== Thanks to iDEFENSE for notifying us of these vulnerabilities, and for providing useful feedback. DETAILS ======= The slc_add_reply() function in telnet.c performs inadequate length checking. By sending a carefully crafted telnet LINEMODE suboption string, a malicious telnet server may cause a telnet client to overflow a fixed-size data segment or BSS buffer and execute arbitrary code. The env_opt_add() function in telnet.c performs inadequate length checking. By sending a carefully crafted telnet NEW-ENVIRON suboption string, a malicious telnet server may cause a telnet client to overflow a heap buffer and execute arbitrary code. REVISION HISTORY ================ 2005-03-28 original release Copyright (C) 2005 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (SunOS) iQCVAwUBQkiLWqbDgE/zdoE9AQFSsgQAua79YPzliPsWCnWTBWNkk9DZnME4RYNu lmBkFlM2u/zaEAKQaml8QJ8k3TQ5WB0GztqSOEIWuG5ZahyOZQefrGCCHuD2JKFZ g4q6PNM7dvbUCBB9HcR+GHlgr+01ofMjVuhhZ8Rj0icqCs5MojP5+0VSqr94w1zv MS06L8DXn00= =LT9x -----END PGP SIGNATURE-----