CVE-2004-0911
CVSS5.0
发布时间 :2004-11-03 00:00:00
修订时间 :2008-09-05 16:39:45
NMCOPS    

[原文]telnetd for netkit 0.17 and earlier, and possibly other versions, on Debian GNU/Linux allows remote attackers to cause a denial of service (free of an invalid pointer), a different vulnerability than CVE-2001-0554.


[CNNVD]Debian GNU/Linux Telnetd非法内存处理漏洞(CNNVD-200411-004)

        
        Debian是一款开放源代码的LINUX系统。
        Debian的telnetd存在一个非法内存处理问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        Debian Linux中的Netkit telnetd实现缺少AYT漏洞补丁,此漏洞由于没有正确分配和释放内存缓冲区,可导致以telnetd进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0911
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0911
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-004
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17540
(VENDOR_ADVISORY)  XF  telnetd-netkit-bo(17540)
http://www.securityfocus.com/archive/1/375743
(VENDOR_ADVISORY)  BUGTRAQ  20040918 Debian netkit telnetd vulnerability
http://www.debian.org/security/2004/dsa-556
(VENDOR_ADVISORY)  DEBIAN  DSA-556
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273694
(UNKNOWN)  CONFIRM  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273694

- 漏洞信息

Debian GNU/Linux Telnetd非法内存处理漏洞
中危 设计错误
2004-11-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Debian是一款开放源代码的LINUX系统。
        Debian的telnetd存在一个非法内存处理问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        Debian Linux中的Netkit telnetd实现缺少AYT漏洞补丁,此漏洞由于没有正确分配和释放内存缓冲区,可导致以telnetd进程权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2004/dsa-556

- 漏洞信息 (F34675)

Debian Linux Security Advisory 569-1 (PacketStormID:F34675)
2004-10-18 00:00:00
Debian  debian.org
advisory,remote,code execution
linux,debian
CVE-2004-0911
[点击下载]

Debian Security Advisory 569-1 - invalid free(3) in netkit-telnet-ssl. This advisory describes patching for a hole found in netkit-telnet-ssl which may allow for remote code execution as whatever user runs telnetd, which would typically be the telnetd user. The issue is corrected in 0.17.17+0.1-2woody2 (stable) or 0.17.24+0.1-4 (unstable). Issue discovered by Michal Zalewski.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 569-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 18th, 2004                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : netkit-telnet-ssl
Vulnerability  : invalid free(3)
Problem-Type   : remote
Debian-specific: yes
CVE ID         : CAN-2004-0911
Debian Bug     : 273694

Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer.  This causes the telnet server process to crash,
leading to a straightforward denial of service (inetd will disable the
service if telnetd is crashed repeatedly), or possibly the execution
of arbitrary code with the privileges of the telnetd process (by
default, the 'telnetd' user).

For the stable distribution (woody) this problem has been fixed in
version 0.17.17+0.1-2woody2

For the unstable distribution (sid) this problem has been fixed in
version 0.17.24+0.1-4.

We recommend that you upgrade your netkit-telnet-ssl package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/netkit-telnet-ssl_0.17.17+0.1-2woody2.dsc
      Size/MD5 checksum:      669 c0333bf798925d74a2b0cd156eb691cc
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/netkit-telnet-ssl_0.17.17+0.1-2woody2.diff.gz
      Size/MD5 checksum:     8632 d0b418abcc29fc1790ab5aafb6836dd1
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/netkit-telnet-ssl_0.17.17+0.1.orig.tar.gz
      Size/MD5 checksum:   167658 faf2d112bc4d44f522bad3bc73da8d6d

  Alpha architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_alpha.deb
      Size/MD5 checksum:   101014 abb3671e001662e6e5166d716ad8bfb6
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_alpha.deb
      Size/MD5 checksum:    56848 bb8b0d77208c7f44c63e95a4f7083e21

  ARM architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_arm.deb
      Size/MD5 checksum:    85130 a87761b01081e99e8acc94f40f3aa50b
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_arm.deb
      Size/MD5 checksum:    48482 cabc1071adeac0c6472dfb10731d6995

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_i386.deb
      Size/MD5 checksum:    85456 5f9f99786a8a26c0dcdfacbd2da11383
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_i386.deb
      Size/MD5 checksum:    46586 fee9f04d1a9768f278537e5571300257

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_ia64.deb
      Size/MD5 checksum:   123126 5ed1d2854d7e91f90724bebcf590252f
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_ia64.deb
      Size/MD5 checksum:    66550 dd096a3593565c983d94730eae09eee9

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_hppa.deb
      Size/MD5 checksum:    86484 f8105593d974b60cd6fcb5f23c41a890
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_hppa.deb
      Size/MD5 checksum:    53812 a2a6d0755b21d53714b34d1a3a38450c

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_m68k.deb
      Size/MD5 checksum:    81360 2a99b7a46d1e7f4abad46afef6549351
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_m68k.deb
      Size/MD5 checksum:    45370 31cb862bbaefbcc9520834fd7393abfb

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_mips.deb
      Size/MD5 checksum:    97340 31a847f384aa1410f31785185d52bd75
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_mips.deb
      Size/MD5 checksum:    52136 311f7252452a4b39168a9ead120f71b2

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_mipsel.deb
      Size/MD5 checksum:    97156 de9a70f8a3893c6698d001970c863341
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_mipsel.deb
      Size/MD5 checksum:    52116 6086a1e35d1c224ece0083aaf798468a

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_powerpc.deb
      Size/MD5 checksum:    88072 2b57b6050d961c729870c33346d5c95c
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_powerpc.deb
      Size/MD5 checksum:    48690 28bc44df1d4506e0231ece63f1ee8b86

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_s390.deb
      Size/MD5 checksum:    88562 77152b7fa6062a90eb505216f1d26bab
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_s390.deb
      Size/MD5 checksum:    50266 c8deb57a9029c38d2fe5f08d11c8c466

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody2_sparc.deb
      Size/MD5 checksum:    89212 7b810e8f0f16651b4c1d0e5bd4142031
    http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody2_sparc.deb
      Size/MD5 checksum:    54466 b82619bdb5299873a25cbbedf541ff15


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBc3D1W5ql+IAeqTIRAmyUAKCSamaYsBVXMGbxDqaTuis6/ycAuACeIFuA
ORfQX9l2Iy0JnZSHx/MModQ=
=9Org
-----END PGP SIGNATURE-----


    

- 漏洞信息 (F34570)

dsa-556.txt (PacketStormID:F34570)
2004-10-13 00:00:00
Michal Zalewski  debian.org
advisory,remote,denial of service,arbitrary
linux,debian
CVE-2004-0911
[点击下载]

Debian Security Advisory DSA 556-1 - Due to a bug in the netkit-telnet server (telnetd), an a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 556-1                     security@debian.org
http://www.debian.org/security/                             Matt Zimmerman
October 2nd, 2004                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : netkit-telnet
Vulnerability  : invalid free(3)
Problem-Type   : remote
Debian-specific: yes
CVE ID         : CAN-2004-0911
Debian Bug     : 273694

Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer.  This causes the telnet server process to crash,
leading to a straightforward denial of service (inetd will disable the
service if telnetd is crashed repeatedly), or possibly the execution
of arbitrary code with the privileges of the telnetd process (by
default, the 'telnetd' user).

For the stable distribution (woody) this problem has been fixed in
version 0.17-18woody1.

For the unstable distribution (sid) this problem has been fixed in
version 0.17-26.

We recommend that you upgrade your netkit-telnetpackage.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/netkit-telnet_0.17-18woody1.dsc
      Size/MD5 checksum:      602 9b997bc6951c08c4f22c29dfe8fd6cfb
    http://security.debian.org/pool/updates/main/n/netkit-telnet/netkit-telnet_0.17-18woody1.diff.gz
      Size/MD5 checksum:    22010 29a22dc590270539e60e040fe33678a3
    http://security.debian.org/pool/updates/main/n/netkit-telnet/netkit-telnet_0.17.orig.tar.gz
      Size/MD5 checksum:   133749 d6beabaaf53fe6e382c42ce3faa05a36

  Alpha architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_alpha.deb
      Size/MD5 checksum:    84080 64e59060bcc7713c33051b129eb7a7b2
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_alpha.deb
      Size/MD5 checksum:    45712 dc1f4eba203e25e0e69fde84d0c68deb

  ARM architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_arm.deb
      Size/MD5 checksum:    69840 cee0940a812e1c14b3541bd408d8e772
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_arm.deb
      Size/MD5 checksum:    39534 78a51c224f171e029799183b8ba42357

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_i386.deb
      Size/MD5 checksum:    70668 8f16858a8702fa7840c60fa272f336b5
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_i386.deb
      Size/MD5 checksum:    37344 48eadf90962f7641c9b109e6ed0b31e4

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_ia64.deb
      Size/MD5 checksum:   102662 7ba021e10ae96097686b70c2b29c281d
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_ia64.deb
      Size/MD5 checksum:    52356 a87e16a648e472e06c0bcacdee2a3465

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_hppa.deb
      Size/MD5 checksum:    69878 436ca10d3adf53cf95d0fb1532fe8ca4
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_hppa.deb
      Size/MD5 checksum:    43430 f782d2555aba39ac4a3fc375601cbe41

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_m68k.deb
      Size/MD5 checksum:    67062 53604751760b712a28141bbfea772f02
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_m68k.deb
      Size/MD5 checksum:    37350 b8ba70a9e2b9c94edfbc2d5ad482f5f5

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_mips.deb
      Size/MD5 checksum:    80782 34f5870ce7c7e90a7337e4ace622c145
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_mips.deb
      Size/MD5 checksum:    42520 005a24828fe4c192cbcaaa1b9e4a4b09

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_mipsel.deb
      Size/MD5 checksum:    80670 b9cea5d2edda4f8c9453789c27aae058
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_mipsel.deb
      Size/MD5 checksum:    42490 cdb8fbe3737a45b2d215d36f8952c6ee

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_powerpc.deb
      Size/MD5 checksum:    73142 0f784e76f7d00238a9e9b13b880682db
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_powerpc.deb
      Size/MD5 checksum:    40184 5e9eddd27a6424698068bc990a98e6da

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_s390.deb
      Size/MD5 checksum:    73064 15178fb0215922e8084015c1745db52d
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_s390.deb
      Size/MD5 checksum:    41132 b8842ed3b2b92196b78872bfd7486dd6

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody1_sparc.deb
      Size/MD5 checksum:    74078 367023264c0accb466316b5ef9479b54
    http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody1_sparc.deb
      Size/MD5 checksum:    45226 477922c39e0ed5ca85ff8209a93f6386

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBX3fbArxCt0PiXR4RAs9tAJoCnPwj94m4LhPCEuGGA7DoK227/gCdFji6
9aopH9fu0InxkJNaAkTvI4Y=
=3HVc
-----END PGP SIGNATURE-----

    

- 漏洞信息

10531
NetKit Telnet Service (netkit-telnetd) AYT Command Memory Handling Overflow
Remote / Network Access Denial of Service, Information Disclosure, Input Manipulation, Other
Loss of Confidentiality, Loss of Integrity, Loss of Availability

- 漏洞描述

A remote overflow exists in netkit-telnetd. The telnet daemon has an error within the processing of AYT ("Are You There") commands and may cause an invalid pointer to be freed resulting in a buffer overflow. With a specially crafted request, an attacker may cause a denial of servce or potentially execute arbitrary code resulting in a loss of integrity and/or availability.

- 时间线

2004-10-06 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Debian GNU/Linux Telnetd Invalid Memory Handling Vulnerability
Design Error 11313
Yes No
2004-10-03 12:00:00 2009-07-12 07:06:00
This vulnerability was reported to the vendor by Michal Zalewski.

- 受影响的程序版本

Debian telnetd-ssl 0.17.17 +0.1-2woody1
Debian telnetd-ssl 0.17.17 +0.1-2
Debian telnetd-ssl 0.17.17 +0.1-1
Debian telnetd 0.17 -25
Debian telnetd 0.17 -18
Debian telnetd-ssl 0.17.17 +0.1-2woody2
Debian telnetd 0.17 -26
Debian telnetd 0.17 -18woody1

- 不受影响的程序版本

Debian telnetd-ssl 0.17.17 +0.1-2woody2
Debian telnetd 0.17 -26
Debian telnetd 0.17 -18woody1

- 漏洞讨论

Telnetd as provided by Debian/GNU Linux is reported susceptible to an invalid memory handling vulnerability. This issue is due to a failure of the application to ensure that memory buffers are properly allocated and deallocated.

It is conjectured that attackers may potentially leverage this vulnerability to execute code in the context of the telnetd process. Debian GNU/Linux runs the process as the unprivileged 'telnetd' user by default.

Versions of telnetd prior to 0.17-18woody1 for the stable branch, and 0.17-26 for the unstable branch are reported to be affected by this vulnerability.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Debian GNU/Linux has released advisory DSA 556-1, along with fixes to address this issue.

Debian Linux has released advisory DSA 569-1 dealing with this issue for their telnet-ssl distribution. Please see the referenced advisory for more information.

Debian has released DSA 556-2, which is a revision to their first advisory. This revision includes new fixes that reportedly resolve the issue where the original fixes did not. Please see the referenced advisory for more information.


Debian telnetd 0.17 -18

Debian telnetd-ssl 0.17.17 +0.1-2woody1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站