CVE-2005-0468
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2010-08-21 00:26:11
NMCOPS    

[原文]Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.


[CNNVD]Telnet客户端env_opt_add() 缓冲区溢出漏洞(CNNVD-200505-503)

        TELNET协议是一种实现远程虚拟终端功能的网络协议,目前有多种telnet的服务器及客户端的实现。多个TELNET协议客户端的实现在处理telnet NEW-ENVIRON子协商选项时存在缓冲区溢出漏洞,如果用户使用有漏洞的客户端程序连接访问恶意telnet服务器,可能导致在客户端机器上执行恶意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9640Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute a...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0468
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0468
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-503
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/341908
(UNKNOWN)  CERT-VN  VU#341908
http://www.redhat.com/support/errata/RHSA-2005-330.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:330
http://www.redhat.com/support/errata/RHSA-2005-327.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:327
http://www.debian.org/security/2005/dsa-703
(VENDOR_ADVISORY)  DEBIAN  DSA-703
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
(VENDOR_ADVISORY)  CONFIRM  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
ftp://patches.sgi.com/support/free/security/advisories/20050405-01-P
(PATCH)  SGI  20050405-01-P
http://www.ubuntulinux.org/usn/usn-224-1
(UNKNOWN)  UBUNTU  USN-224-1
http://www.securityfocus.com/bid/12919
(UNKNOWN)  BID  12919
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050328 Multiple Telnet Client env_opt_add() Buffer Overflow Vulnerability
http://www.debian.de/security/2005/dsa-731
(UNKNOWN)  DEBIAN  DSA-731
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1
(UNKNOWN)  SUNALERT  57761
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1
(UNKNOWN)  SUNALERT  57755
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101671-1
(UNKNOWN)  SUNALERT  101671
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101665-1
(UNKNOWN)  SUNALERT  101665
http://secunia.com/advisories/17899
(UNKNOWN)  SECUNIA  17899
http://secunia.com/advisories/14745
(UNKNOWN)  SECUNIA  14745
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000962
(UNKNOWN)  CONECTIVA  CLA-2005:962
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-05:01.telnet
http://www.mandriva.com/security/advisories?name=MDKSA-2005:061
(UNKNOWN)  MANDRAKE  MDKSA-2005:061

- 漏洞信息

Telnet客户端env_opt_add() 缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2006-09-22 00:00:00
远程  
        TELNET协议是一种实现远程虚拟终端功能的网络协议,目前有多种telnet的服务器及客户端的实现。多个TELNET协议客户端的实现在处理telnet NEW-ENVIRON子协商选项时存在缓冲区溢出漏洞,如果用户使用有漏洞的客户端程序连接访问恶意telnet服务器,可能导致在客户端机器上执行恶意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Heimdal Heimdal 0.6
        Heimdal heimdal-0.6.4.tar.gz
        ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.4.tar.gz
        Heimdal Heimdal 0.6.1
        Heimdal heimdal-0.6.4.tar.gz
        ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.4.tar.gz
        MIT Kerberos 5 1.3.3
        Fedora krb5-debuginfo-1.3.6-4.i386.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        Fedora krb5-debuginfo-1.3.6-4.x86_64.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        Fedora krb5-devel-1.3.6-4.i386.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        Fedora krb5-devel-1.3.6-4.x86_64.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        Fedora krb5-libs-1.3.6-4.i386.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        Fedora krb5-libs-1.3.6-4.x86_64.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        Fedora krb5-server-1.3.6-4.i386.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        Fedora krb5-server-1.3.6-4.x86_64.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        Fedora krb5-workstation-1.3.6-4.i386.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        Fedora krb5-workstation-1.3.6-4.x86_64.rpm
        RedHat Fedora Core 2
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
        MIT Kerberos 5 1.3.6
        Ubuntu krb5-admin-server_1.3.6-1ubuntu0.1_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-serv er_1.3.6-1ubuntu0.1_amd64.deb
        Ubuntu krb5-admin-server_1.3.6-1ubuntu0.1_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-serv er_1.3.6-1ubuntu0.1_powerpc.deb
        Ubuntu krb5-clients_1.3.6-1ubuntu0.1_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1. 3.6-1ubuntu0.1_amd64.deb
        Ubuntu krb5-clients_1.3.6-1ubuntu0.1_i386.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1. 3.6-1ubuntu0.1_i386.deb
        Ubuntu krb5-clients_1.3.6-1ubuntu0.1_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1. 3.6-1ubuntu0.1_powerpc.deb
        Ubuntu krb5-ftpd_1.3.6-1ubuntu0.1_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.6 -1ubuntu0.1_amd64.deb
        Ubuntu krb5-ftpd_1.3.6-1ubuntu0.1_i386.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.6 -1ubuntu0.1_i386.deb
        Ubuntu krb5-ftpd_1.3.6-1ubuntu0.1_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.6 -1ubuntu0.1_powerpc.deb
        Ubuntu krb5-kdc_1.3.6-1ubuntu0.1_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.6- 1ubuntu0.1_amd64.deb
        Ubuntu krb5-kdc_1.3.6-1ubuntu0.1_i386.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.6- 1ubuntu0.1_i386.deb
        Ubuntu krb5-kdc_1.3.6-1ubuntu0.1_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.6- 1ubuntu0.1_powerpc.deb
        Ubuntu krb5-rsh-server_1.3.6-1ubuntu0.1_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server _1.3.6-1ubuntu0.1_amd64.deb
        Ubuntu krb5-rsh-server_1.3.6-1ubuntu0.1_i386.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server _1.3.6-1ubuntu0.1_i386.deb
        Ubuntu krb5-rsh-server_1.3.6-1ubuntu0.1_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server _1.3.6-1ubuntu0.1_powerpc.deb
        Ubuntu krb5-telnetd_1.3.6-1ubuntu0.1_amd

- 漏洞信息 (F38276)

Gentoo Linux Security Advisory 200504-28 (PacketStormID:F38276)
2005-06-24 00:00:00
Gentoo  security.gentoo.org
advisory,overflow,vulnerability
linux,gentoo
CVE-2005-0468,CVE-2005-0469
[点击下载]

Gentoo Linux Security Advisory GLSA 200504-28 - Buffer overflow vulnerabilities in the slc_add_reply() and env_opt_add() functions have been discovered by Gael Delalleau in the telnet client in Heimdal. Versions less than 0.6.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200504-28
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Heimdal: Buffer overflow vulnerabilities
      Date: April 28, 2005
      Bugs: #89861
        ID: 200504-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Buffer overflow vulnerabilities have been found in the telnet client in
Heimdal which could lead to execution of arbitrary code.

Background
==========

Heimdal is a free implementation of Kerberos 5 that includes a telnet
client program.

Affected packages
=================

    -------------------------------------------------------------------
     Package            /  Vulnerable  /                    Unaffected
    -------------------------------------------------------------------
  1  app-crypt/heimdal       < 0.6.4                          >= 0.6.4

Description
===========

Buffer overflow vulnerabilities in the slc_add_reply() and
env_opt_add() functions have been discovered by Gael Delalleau in the
telnet client in Heimdal.

Impact
======

Successful exploitation would require a vulnerable user to connect to
an attacker-controlled host using the telnet client, potentially
executing arbitrary code with the permissions of the user running the
application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Heimdal users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-0.6.4"

References
==========

  [ 1 ] CAN-2005-0468
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
  [ 2 ] CAN-2005-0469
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200504-28.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息 (F37094)

SCOSA-2005.21.txt (PacketStormID:F37094)
2005-04-18 00:00:00
 
advisory,remote,overflow,arbitrary,local
bsd
CVE-2005-0469,CVE-2005-0468
[点击下载]

SCO Security Advisory - Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : telnet client multiple issues
Advisory number: 	SCOSA-2005.21
Issue date: 		2005 April 08
Cross reference:	sr893210 fz531446 erg712801 CAN-2005-0469 CAN-2005-0468
______________________________________________________________________________


1. Problem Description

	Buffer overflow in the slc_add_reply function in various
	BSD-based Telnet clients, when handling LINEMODE suboptions,
	allows remote attackers to execute arbitrary code via a
	reply with a large number of Set Local Character (SLC)
	commands. 

	The Common Vulnerabilities and Exposures project (cve.mitre.org) 
	has assigned the name CAN-2005-0469 to this issue. 

	Heap-based buffer overflow in the env_opt_add function
	in telnet.c for various BSD-based Telnet clients allows
	remote attackers to execute arbitrary code via responses
	that contain a large number of characters that require
	escaping, which consumers more memory than allocated. 
	
	The Common Vulnerabilities and Exposures project (cve.mitre.org)
	has assigned the name CAN-2005-0468 to this issue.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.4 			/usr/bin/telnet
	UnixWare 7.1.3 			/usr/bin/telnet
	UnixWare 7.1.1 			/usr/bin/telnet


3. Solution

	The proper solution is to install the latest packages.


4. UnixWare 7.1.4

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21

	4.2 Verification

	MD5 (erg712801.714.pkg.Z) = bf53673ea12a1c25e3606a5b879adbc4

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download erg712801.714.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712801.714.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712801.714.pkg


5. UnixWare 7.1.3

	5.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21

	5.2 Verification

	MD5 (erg712801.713.pkg.Z) = e876b261afbecb41c18c26d6ec11e71d

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download erg712801.713.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712801.713.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712801.713.pkg


6. UnixWare 7.1.1

	6.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21

	6.2 Verification

	MD5 (erg712801.711.pkg.Z) = f3099416a793c1f731bc7e377fe0e4a2

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	6.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download erg712801.711.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712801.711.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712801.711.pkg


7. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 
		http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities 
		http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr893210 fz531446
	erg712801.


8. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


9. Acknowledgments

	SCO would like to thank Gal Delalleau and iDEFENSE

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)

iD8DBQFCVtn4aqoBO7ipriERAkZbAJ9qiuR3M89tJWzyJ3K7Q5NbBRTvMgCfdeFY
JmJIo8zz/ppyCI4EQ5UY9jA=
=8sOq
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F37029)

Gentoo Linux Security Advisory 200504-4 (PacketStormID:F37029)
2005-04-17 00:00:00
Gentoo  security.gentoo.org
advisory,overflow
linux,gentoo
CVE-2005-0468,CVE-2005-0469
[点击下载]

Gentoo Linux Security Advisory GLSA 200504-04 - A buffer overflow has been identified in the env_opt_add() function, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Versions less than 1.3.6-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200504-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: mit-krb5: Multiple buffer overflows in telnet client
      Date: April 06, 2005
      Bugs: #87145
        ID: 200504-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The mit-krb5 telnet client is vulnerable to two buffer overflows, which
could allow a malicious telnet server operator to execute arbitrary
code.

Background
==========

The MIT Kerberos 5 implementation provides a command line telnet client
which is used for remote login via the telnet protocol.

Affected packages
=================

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  app-crypt/mit-krb5     < 1.3.6-r2                     >= 1.3.6-r2

Description
===========

A buffer overflow has been identified in the env_opt_add() function,
where a response requiring excessive escaping can cause a heap-based
buffer overflow. Another issue has been identified in the
slc_add_reply() function, where a large number of SLC commands can
overflow a fixed size buffer.

Impact
======

Successful exploitation would require a vulnerable user to connect to
an attacker-controlled telnet host, potentially executing arbitrary
code with the permissions of the telnet user on the client.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All mit-krb5 users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.3.6-r2"

References
==========

  [ 1 ] CAN-2005-0468
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
  [ 2 ] CAN-2005-0469
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
  [ 3 ] MITKRB5-SA-2005-001

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-001-telnet.txt

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200504-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息 (F36947)

dsa-703.txt (PacketStormID:F36947)
2005-04-14 00:00:00
 
advisory
linux,debian
CVE-2005-0468,CVE-2005-0469
[点击下载]

Debian Security Advisory 703-1 - Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 703-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
April 1st, 2005                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : krb5
Vulnerability  : buffer overflows
Problem-Type   : remote
Debian-specific: no
CVE IDs        : CAN-2005-0468 CAN-2005-0469
CERT advisories: VU#341908 VU#291924

Several problems have been discovered in telnet clients that could be
exploited by malicious daemons the client connects to.  The Common
Vulnerabilities and Exposures project identifies the following
problems:

CAN-2005-0468

    Ga    

- 漏洞信息 (F36938)

Gentoo Linux Security Advisory 200504-1 (PacketStormID:F36938)
2005-04-14 00:00:00
Gentoo  security.gentoo.org
advisory,overflow
linux,bsd,gentoo
CVE-2005-0468,CVE-2005-0469
[点击下载]

Gentoo Linux Security Advisory GLSA 200504-01 - A buffer overflow has been identified in the env_opt_add() function of telnet-bsd, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Versions less than 1.0-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200504-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: telnet-bsd: Multiple buffer overflows
      Date: April 01, 2005
      Bugs: #87019
        ID: 200504-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The telnet-bsd telnet client is vulnerable to two buffer overflows,
which could allow a malicious telnet server operator to execute
arbitrary code.

Background
==========

telnet-bsd provides a command line telnet client which is used for
remote login using the telnet protocol.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /  Vulnerable  /                  Unaffected
    -------------------------------------------------------------------
  1  net-misc/telnet-bsd      < 1.0-r1                       >= 1.0-r1

Description
===========

A buffer overflow has been identified in the env_opt_add() function of
telnet-bsd, where a response requiring excessive escaping can cause a
heap-based buffer overflow. Another issue has been identified in the
slc_add_reply() function, where a large number of SLC commands can
overflow a fixed size buffer.

Impact
======

Successful exploitation would require a vulnerable user to connect to
an attacker-controlled host using telnet, potentially executing
arbitrary code with the permissions of the telnet user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All telnet-bsd users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/telnet-bsd-1.0-r1"

References
==========

  [ 1 ] CAN-2005-0468
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
  [ 2 ] IDEF0867

http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
  [ 3 ] CAN-2005-0469
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
  [ 4 ] IDEF0866

http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200504-01.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息 (F36854)

MITKRB5-SA-2005-001-telnet.txt (PacketStormID:F36854)
2005-03-29 00:00:00
 
advisory,overflow
CVE-2005-0468
[点击下载]

MIT krb5's supplied telnet client is vulnerable to buffer overflows in the functions slc_add_reply() and env_opt_add(). These can be exploited by a malicious server to which the client is trying to connect.

-----BEGIN PGP SIGNED MESSAGE-----

                 MIT krb5 Security Advisory 2005-001

Original release: 2005-03-28

Topic: Buffer overflows in telnet client

Severity: serious

SUMMARY
=======

The telnet client program supplied with MIT Kerberos 5 has buffer
overflows in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.

IMPACT
======

An attacker controlling or impersonating a telnet server may execute
arbitrary code with the privileges of the user running the telnet
client.  The attacker would need to convince the user to connect to a
malicious server, perhaps by automatically launching the client from a
web page.  Additional user interaction may not be required if the
attacker can get the user to view HTML containing an IFRAME tag
containing a "telnet:" URL pointing to a malicious server.

AFFECTED SOFTWARE
=================

* telnet client programs included with the MIT Kerberos 5
  implementation, up to and including release krb5-1.4.

* Other telnet client programs derived from the BSD telnet
  implementation may be vulnerable.

FIXES
=====

* WORKAROUND: Disable handling of "telnet:" URLs in web browsers,
  email readers, etc., or remove execute permissions from the telnet
  client program.

* The upcoming krb5-1.4.1 patch release will contain fixes for this
  problem.

* Apply the patch found at:

  http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc

  The patch was generated against the krb5-1.4 release.  It may apply
  against earlier releases with some offset.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities

CVE: CAN-2005-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

[IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities

CVE: CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

ACKNOWLEDGMENTS
===============

Thanks to iDEFENSE for notifying us of these vulnerabilities, and for
providing useful feedback.

DETAILS
=======

The slc_add_reply() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet LINEMODE suboption
string, a malicious telnet server may cause a telnet client to
overflow a fixed-size data segment or BSS buffer and execute arbitrary
code.

The env_opt_add() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet NEW-ENVIRON suboption
string, a malicious telnet server may cause a telnet client to
overflow a heap buffer and execute arbitrary code.

REVISION HISTORY
================

2005-03-28      original release

Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQkiLWqbDgE/zdoE9AQFSsgQAua79YPzliPsWCnWTBWNkk9DZnME4RYNu
lmBkFlM2u/zaEAKQaml8QJ8k3TQ5WB0GztqSOEIWuG5ZahyOZQefrGCCHuD2JKFZ
g4q6PNM7dvbUCBB9HcR+GHlgr+01ofMjVuhhZ8Rj0icqCs5MojP5+0VSqr94w1zv
MS06L8DXn00=
=LT9x
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F36841)

iDEFENSE Security Advisory 2005-03-28.2 (PacketStormID:F36841)
2005-03-29 00:00:00
iDefense Labs,Gael Delalleau  idefense.com
advisory,remote,overflow,arbitrary
solaris,bsd
CVE-2005-0468
[点击下载]

iDEFENSE Security Advisory 03.28.05 - Remote exploitation of a buffer overflow vulnerability in multiple telnet clients could allow the execution of arbitrary code. The vulnerability specifically exists in the env_opt_add() function of telnet.c. iDEFENSE has confirmed the existance of the vulnerability in the telnet client included in the Kerberos V5 Release 1.3.6 package and the client included in the SUNWtnetc package of Solaris 5.9. It is suspected that most BSD based telnet clients are affected by this vulnerability.

Multiple Telnet Client env_opt_add() Buffer Overflow Vulnerability

iDEFENSE Security Advisory 03.28.05
www.idefense.com/application/poi/display?id=221&type=vulnerabilities
March 28, 2005

I. BACKGROUND

The TELNET protocol allows virtual network terminals to be connected to 
over the internet. The initial description of the telnet protocol was 
given in RFC854 in May 1983. Since then there have been many extra 
features added including encryption. 

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in multiple
telnet clients could allow the execution of arbitrary code.

The vulnerability specifically exists in the env_opt_add() function of
telnet.c. A buffer of a fixed size (256 bytes) is allocated to store the
result of the processing this function performs on network input. If
this buffer is not large enough to contain the string, the buffer is 
expanded by a further 256 bytes. This size is sufficient for most well 
formed input, as the buffer passed as input to the affected function is 
limited to the same size. However, due to the way the telnet protocol 
escapes certain characters, it is possible to increase the length of the
output by including a large run of characters which need escaping. This 
can allow the 256 byte input buffer to expand to a maximum of 512 bytes 
in the allocated storage buffer. If, after expanding the buffer by 256 
bytes, the buffer is still not large enough to contain the input, a heap
based buffer overflow occurs, which is exploitable on at least some 
affected platforms.

III. ANALYSIS

Successful exploitation of this vulnerability could allow an attacker to
execute arbitrary commands in the context of the user who launched the 
telnet client.

In order to exploit this vulnerability, an attacker would need to 
convince the user to connect to their malicious server. It may be 
possible to automatically launch the telnet command from a webpage, for 
example:

<html><body>
<iframe src='telnet://malicious.server/'>
</body>

On opening this page the telnet client may be launched and attempt to 
connect to the host 'malicious.server'.

IV. DETECTION

iDEFENSE has confirmed the existance of the vulnerability in the telnet 
client included in the Kerberos V5 Release 1.3.6 package and the client 
included in the SUNWtnetc package of Solaris 5.9. It is suspected that 
most BSD based telnet clients are affected by this vulnerability.

V. WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this 
vulnerability.

VI. VENDOR RESPONSE

The following vendors have provided official responses related to this
vulnerability. Other vendors may be affected but have not provided an
official response.

Vulnerable:

- ALT Linux
All supported ALT Linux distributions include telnet client derived from
OpenBSD 3.0. The env_opt_add() buffer overflow vulnerability is present
in all our telnet clients.  Updated packages with fixes for these issues
will be released on March 28, 2005.
http://lists.altlinux.ru/pipermail/security-announce/2005-March/000287.html

- Apple Computer, Inc.
Component:  Telnet
Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8
This is fixed in Security Update 2005-003, which is available at
http://docs.info.apple.com/article.html?artnum=61798

- FreeBSD
FreeBSD-SA-05:01.telnet security advisory:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc

- MIT (Kerberos)
This vulnerability is covered in the following upcoming advisory:
MITKRB5-SA-2005-001:
   http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
patch against krb5-1.4:
      http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt

- Openwall Project
The bugs are fixed starting with telnet package version 3.0-owl2.
   http://www.openwall.com/Owl/CHANGES-current.shtml

- Red Hat, Inc.
Red Hat Enterprise Linux ship with telnet and krb5 packages vulnerable
to this issue.  New telnet and krb5 packages are now available along
with our advisory at the URLs below and by using the Red Hat Network
'up2date' tool.
   Red Hat Enterprise Linux - telnet
      http://rhn.redhat.com/errata/RHSA-2005-330.html
   Red Hat Enterprise Linux - krb5
      http://rhn.redhat.com/errata/RHSA-2005-327.html

- Sun Microsystems Inc.
Sun confirms that the telnet(1) vulnerabilities do affect all
currently supported versions of Solaris:
   Solaris 7, 8, 9 and 10
Sun has released a Sun Alert which describes a workaround until patches
are available at:
   http://sunsolve.sun.com
   Sun Alert #57755  
The Sun Alert will be updated with the patch information once it becomes
available. Sun patches are available from:
   http://sunsolve.sun.com/securitypatch

Not Vulnerable:

- CyberSafe Limited
The CyberSafe TrustBroker products, version 3.0 or later, are not
vulnerable.

- Hewlett-Packard Development Company, L.P.
HP-UX and HP Tru64 UNIX are not vulnerable.

- InterSoft International, Inc.
InterSoft International, Inc. products NetTerm, SecureNetTerm and
SNetTerm are not affected by the env_opt_add() buffer overflow
conditions.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0468 to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/18/2005  Initial vendor notifications
03/28/2005  Coordinated public disclosure

IX. CREDIT

Ga    

- 漏洞信息

15093
Multiple Vendor Telnet env_opt_add Function Remote Overflow
Remote / Network Access, Context Dependent Input Manipulation
Loss of Integrity Patch / RCS
Exploit Private Vendor Verified, Coordinated Disclosure

- 漏洞描述

- 时间线

2005-03-28 Unknow
Unknow 2005-03-28

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, ALT Linux, Apple, Free BSD, MIT (Kerberos), Openwall Project, Red Hat, and Oracle (formerly Sun Microsystems) have released patches for their respective products to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability
Boundary Condition Error 12919
Yes No
2005-03-28 12:00:00 2007-02-22 06:56:00
Gael Delalleau is credited with the discovery of this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
SuSE SUSE Linux Enterprise Server 7
Sun SEAM 1.0.2
+ Sun Solaris 9_x86
+ Sun Solaris 9
Sun SEAM 1.0.1
Sun SEAM 1.0
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
SGI ProPack 3.0
SGI IRIX 6.5.27
SGI IRIX 6.5.26
SGI IRIX 6.5.25
SGI IRIX 6.5.24 m
SGI IRIX 6.5.24
SGI IRIX 6.5.23 m
SGI IRIX 6.5.23
SGI IRIX 6.5.22 m
SGI IRIX 6.5.22
SGI IRIX 6.5.21 m
SGI IRIX 6.5.21 f
SGI IRIX 6.5.21
SGI IRIX 6.5.20 m
SGI IRIX 6.5.20 f
SGI IRIX 6.5.20
SGI IRIX 6.5.19 m
SGI IRIX 6.5.19 f
SGI IRIX 6.5.19
SGI IRIX 6.5.18 m
SGI IRIX 6.5.18 f
SGI IRIX 6.5.18
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.17
SGI IRIX 6.5.16 m
SGI IRIX 6.5.16 f
SGI IRIX 6.5.16
SGI IRIX 6.5.15 m
SGI IRIX 6.5.15 f
SGI IRIX 6.5.15
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f
SGI IRIX 6.5.14
SGI IRIX 6.5.13 m
SGI IRIX 6.5.13 f
SGI IRIX 6.5.13
SGI IRIX 6.5.12 m
SGI IRIX 6.5.12 f
SGI IRIX 6.5.12
SGI IRIX 6.5.11 m
SGI IRIX 6.5.11 f
SGI IRIX 6.5.11
SGI IRIX 6.5.10 m
SGI IRIX 6.5.10 f
SGI IRIX 6.5.10
SGI IRIX 6.5.9 m
SGI IRIX 6.5.9 f
SGI IRIX 6.5.9
SGI IRIX 6.5.8 m
SGI IRIX 6.5.8 f
SGI IRIX 6.5.8
SGI IRIX 6.5.7 m
SGI IRIX 6.5.7 f
SGI IRIX 6.5.7
SGI IRIX 6.5.6 m
SGI IRIX 6.5.6 f
SGI IRIX 6.5.6
SGI IRIX 6.5.5 m
SGI IRIX 6.5.5 f
SGI IRIX 6.5.5
SGI IRIX 6.5.4 m
SGI IRIX 6.5.4 f
SGI IRIX 6.5.4
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.3
SGI IRIX 6.5.2 m
SGI IRIX 6.5.2 f
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5 20
SGI IRIX 6.5 .19m
SGI IRIX 6.5 .19f
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
SGI IRIX 6.0.1 XFS
SGI IRIX 6.0.1
SGI IRIX 6.0
SGI IRIX 5.3 XFS
SGI IRIX 5.3
SGI IRIX 5.2
SGI IRIX 5.1.1
SGI IRIX 5.1
SGI IRIX 5.0.1
SGI IRIX 5.0
SGI IRIX 4.0.5 IPR
SGI IRIX 4.0.5 H
SGI IRIX 4.0.5 G
SGI IRIX 4.0.5 F
SGI IRIX 4.0.5 E
SGI IRIX 4.0.5 D
SGI IRIX 4.0.5 A
SGI IRIX 4.0.5 (IOP)
SGI IRIX 4.0.5
SGI IRIX 4.0.4 T
SGI IRIX 4.0.4 B
SGI IRIX 4.0.4
SGI IRIX 4.0.3
SGI IRIX 4.0.2
SGI IRIX 4.0.1 T
SGI IRIX 4.0.1
SGI IRIX 4.0
SGI IRIX 3.3.3
SGI IRIX 3.3.2
SGI IRIX 3.3.1
SGI IRIX 3.3
SGI IRIX 3.2
SCO Unixware 7.1.4
SCO Unixware 7.1.3
SCO Unixware 7.1.1
SCO Open Server 5.0.7
SCO Open Server 5.0.6
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
S.u.S.E. Linux 7.3 sparc
S.u.S.E. Linux 7.3 ppc
S.u.S.E. Linux 7.3 i386
S.u.S.E. Linux 7.3
S.u.S.E. Linux 7.2 i386
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.1 x86
S.u.S.E. Linux 7.1 sparc
S.u.S.E. Linux 7.1 ppc
S.u.S.E. Linux 7.1 alpha
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.0 sparc
S.u.S.E. Linux 7.0 ppc
S.u.S.E. Linux 7.0 i386
S.u.S.E. Linux 7.0 alpha
S.u.S.E. Linux 7.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core1
Openwall Openwall GNU/*/Linux 1.1
Openwall Openwall GNU/*/Linux 1.0
Openwall Openwall GNU/*/Linux (Owl)-current
OpenBSD OpenBSD 3.6
OpenBSD OpenBSD 3.5
Netkit Linux Netkit 0.17.17
Netkit Linux Netkit 0.17
Netkit Linux Netkit 0.16
Netkit Linux Netkit 0.15
Netkit Linux Netkit 0.14
Netkit Linux Netkit 0.12
Netkit Linux Netkit 0.11
Netkit Linux Netkit 0.10
Netkit Linux Netkit 0.9
NetBSD NetBSD 2.0.2
NetBSD NetBSD 2.0.1
NetBSD NetBSD 2.0
MIT Kerberos 5 1.4
MIT Kerberos 5 1.3.6
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
+ Red Hat Fedora Core1
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
MIT Kerberos 5 1.3.5
MIT Kerberos 5 1.3.4
MIT Kerberos 5 1.3.3
MIT Kerberos 5 1.3.2
MIT Kerberos 5 1.3.1
MIT Kerberos 5 1.3 -alpha1
MIT Kerberos 5 1.3
MIT Kerberos 5 1.2.8
MIT Kerberos 5 1.2.7
MIT Kerberos 5 1.2.6
MIT Kerberos 5 1.2.5
MIT Kerberos 5 1.2.4
MIT Kerberos 5 1.2.3
MIT Kerberos 5 1.2.2 -beta1
MIT Kerberos 5 1.2.2
MIT Kerberos 5 1.2.1
MIT Kerberos 5 1.2
MIT Kerberos 5 1.1.1
+ Red Hat Linux 6.2
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.1
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
MIT Kerberos 5 1.1
MIT Kerberos 5 1.0.8
MIT Kerberos 5 1.0.6
MIT Kerberos 5 1.0
Heimdal Heimdal 0.6.3
Heimdal Heimdal 0.6.2
Heimdal Heimdal 0.6.1
Heimdal Heimdal 0.6
Heimdal Heimdal 0.5.3
Heimdal Heimdal 0.5.2
Heimdal Heimdal 0.5.1
Heimdal Heimdal 0.5 .0
Gentoo Linux
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
F5 BigIP 4.6.2
F5 BigIP 4.6
F5 BigIP 4.5.12
F5 BigIP 4.5.11
F5 BigIP 4.5.10
F5 BigIP 4.5.9
F5 BigIP 4.5.6
F5 BigIP 4.5
F5 BigIP 4.4
F5 BigIP 4.3
F5 BigIP 4.2
F5 BigIP 4.0
F5 3-DNS 4.6.2
F5 3-DNS 4.6
F5 3-DNS 4.5.12
F5 3-DNS 4.5.11
F5 3-DNS 4.5
F5 3-DNS 4.4
F5 3-DNS 4.3
F5 3-DNS 4.2
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Conectiva Linux 10.0
Conectiva Linux 9.0
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya Modular Messaging S3400
Avaya MN100
Avaya Intuity LX
Avaya CVLAN
Avaya Converged Communications Server 2.0
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1
Apple Mac OS X Server 10.0
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0 3
Apple Mac OS X 10.0
ALT Linux ALT Linux Junior 2.3
ALT Linux ALT Linux Compact 2.3
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
NetBSD NetBSD 2.0.3
Heimdal Heimdal 0.6.4
F5 BigIP 4.6.3
F5 BigIP 4.5.13
F5 3-DNS 4.6.3
F5 3-DNS 4.5.13

- 不受影响的程序版本

Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
NetBSD NetBSD 2.0.3
Heimdal Heimdal 0.6.4
F5 BigIP 4.6.3
F5 BigIP 4.5.13
F5 3-DNS 4.6.3
F5 3-DNS 4.5.13

- 漏洞讨论

Multiple vendors' Telnet client applications are reported prone to a remote buffer-overflow vulnerability. This vulnerability reportedly occurs in the 'env_opt_add()' function in the 'telnet.c' source file, which is apparently common source for all the affected vendors.

A remote attacker may exploit this vulnerability to execute arbitrary code on some of the affected platforms in the context of a user that is using the vulnerable Telnet client to connect to a malicious server.

- 漏洞利用


The following proof-of-concept code, designed to simply trigger this issue, has been made available:

perl -e 'print "\377", "\372\42\3\377\377\3\3" x 43, "\377\360"' | nc -l 23

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

Please see the referenced advisories for details on obtaining and applying the appropriate updates.


Heimdal Heimdal 0.6

Heimdal Heimdal 0.6.1

MIT Kerberos 5 1.3.3

MIT Kerberos 5 1.3.6

Apple Mac OS X Server 10.3.8

Debian Linux 3.0 mips

Debian Linux 3.0 mipsel

SCO Unixware 7.1.1

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站