[NEWS] Multiple Telnet Client env_opt_add() and slc_add_reply() Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 03/29/05

  • Next message: SecuriTeam: "[EXPL] Smail preparse_address_1() Heap Overflow" 
    To: list@securiteam.com
Date: 29 Mar 2005 11:32:52 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Telnet Client env_opt_add() and slc_add_reply() Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    The TELNET protocol "allows virtual network terminals to be connected to
    over the Internet. The initial description of the telnet protocol was
    given in RFC854 in May 1983. Since then there have been many extra
    features added including encryption".

    Remote exploitation of two buffer overflow vulnerability in multiple
    telnet clients could allow the execution of arbitrary code.

    DETAILS

    Vulnerable Systems:
     * Telnet Client provided with Kerberos V5 Release 1.3.6
     * Telnet Client provided with SUNWtnetc package of Solaris 5.9

    slc_add_reply() Vulnerability:
    The vulnerability specifically exists in the handling of the LINEMODE
    suboptions, in that there is no size check made on the output, which is
    stored in a fixed length buffer. By sending a specially constructed reply
    containing a large number of SLC (Set Local Character) commands, it is
    possible to overflow this buffer with server supplied data.

    Proof of Concept for slc_add_reply():
    The following one-liner can be used to trigger this overflow:
    perl -e 'print "\377", "\372\42\3\377\377\3\3" x 43, "\377\360"' | nc -l 2

    This results in 300 bytes written into the 128-byte buffer. On Owl (telnet
    client derived from OpenBSD 3.0), the effect was that the escape character
    ('^]') stopped working. Other than that, the client proceeded to work as
    usual. Indeed, with the patch this effect is gone.

    env_opt_add() Vulnerability:
    The vulnerability specifically exists in the env_opt_add() function of
    telnet.c. A buffer of a fixed size (256 bytes) is allocated to store the
    result of the processing this function performs on network input. If this
    buffer is not large enough to contain the string, the buffer is expanded
    by a further 256 bytes. This size is sufficient for most well formed
    input, as the buffer passed as input to the affected function is limited
    to the same size. However, due to the way the telnet protocol escapes
    certain characters, it is possible to increase the length of the output by
    including a large run of characters which need escaping. This can allow
    the 256 byte input buffer to expand to a maximum of 512 bytes in the
    allocated storage buffer. If, after expanding the buffer by 256 bytes, the
    buffer is still not large enough to contain the input, a heap based buffer
    overflow occurs, which is exploitable on at least some affected platforms.

    Vendor response:
    The following vendors have provided official responses related to this
    vulnerability. Other vendors may be affected but have not provided an
    official response.

    Vulnerable:
    - ALT Linux
    All supported ALT Linux distributions include telnet client derived from
    OpenBSD 3.0. The env_opt_add() buffer overflow vulnerability is present in
    all our telnet clients. Updated packages with fixes for these issues will
    be released on March 28, 2005.
     
    <http://lists.altlinux.ru/pipermail/security-announce/2005-March/000287.html> http://lists.altlinux.ru/pipermail/security-announce/2005-March/000287.html

    - Apple Computer, Inc.
    Component: Telnet
    Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8
    This is fixed in Security Update 2005-003, which is available at
    <http://docs.info.apple.com/article.html?artnum=61798>
    http://docs.info.apple.com/article.html?artnum=61798

    - FreeBSD
    FreeBSD-SA-05:01.telnet security advisory:
    <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc

    - MIT (Kerberos)
    This vulnerability is covered in the following upcoming advisory:
    MITKRB5-SA-2005-001:
    <http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt>
    http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
    patch against krb5-1.4:
    <http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt>
    http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt

    - Openwall Project
    The bugs are fixed starting with telnet package version 3.0-owl2.
    <http://www.openwall.com/Owl/CHANGES-current.shtml>
    http://www.openwall.com/Owl/CHANGES-current.shtml

    - Red Hat, Inc.
    Red Hat Enterprise Linux ship with telnet and krb5 packages vulnerable to
    this issue. New telnet and krb5 packages are now available along with our
    advisory at the URLs below and by using the Red Hat Network 'up2date'
    tool.
     Red Hat Enterprise Linux - telnet
    <http://rhn.redhat.com/errata/RHSA-2005-330.html>
    http://rhn.redhat.com/errata/RHSA-2005-330.html
     Red Hat Enterprise Linux - krb5
    <http://rhn.redhat.com/errata/RHSA-2005-327.html>
    http://rhn.redhat.com/errata/RHSA-2005-327.html

    - Sun Microsystems Inc.
    Sun confirms that the telnet(1) vulnerabilities do affect all currently
    supported versions of Solaris:
     Solaris 7, 8, 9 and 10
    Sun has released a Sun Alert which describes a workaround until patches
    are available at: <http://sunsolve.sun.com> http://sunsolve.sun.com (Sun
    Alert #57755)

    The Sun Alert will be updated with the patch information once it becomes
    available. Sun patches are available from:
    <http://sunsolve.sun.com/securitypatch>
    http://sunsolve.sun.com/securitypatch

    Not Vulnerable:
    - CyberSafe Limited
    The CyberSafe TrustBroker products, version 3.0 or later, are not
    vulnerable.

    - Hewlett-Packard Development Company, L.P.
    HP-UX and HP Tru64 UNIX are not vulnerable.

    - InterSoft International, Inc.
    InterSoft International, Inc. products NetTerm, SecureNetTerm and SNetTerm
    are not affected by the env_opt_add() buffer overflow conditions.

    Analysis for both vulnerabilities:
    In order to exploit this vulnerability, an attacker would need to convince
    the user to connect to their malicious server. It may be possible to
    automatically launch the telnet command from a webpage, for example:

    < html><body>
    < iframe src='telnet://malicious.server/'>
    </body>

    On opening this page the telnet client may be launched and attempt to
    connect to the host 'malicious.server'.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468>
    CAN-2005-0468
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469>
    CAN-2005-0469

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Smail preparse_address_1() Heap Overflow"

    Relevant Pages