Vulnerabilities > CVE-2005-0468 - Buffer Overflow vulnerability in Ncsa Telnet C

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
ncsa
nessus
exploit available

Summary

Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.

Vulnerable Configurations

Part Description Count
Application
Ncsa
1

Exploit-Db

descriptionMultiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability. CVE-2005-0468. Dos exploit for linux platform
idEDB-ID:25303
last seen2016-02-03
modified2005-03-28
published2005-03-28
reporterGael Delalleau
sourcehttps://www.exploit-db.com/download/25303/
titleMultiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2005-210-01.NASL
    descriptionNew tcpip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issues with the telnet client. Overflows in the telnet client may lead to the execution of arbitrary code as the telnet user if the user connects to a malicious telnet server.
    last seen2020-06-01
    modified2020-06-02
    plugin id19857
    published2005-10-05
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19857
    titleSlackware 10.0 / 10.1 / 8.1 / 9.0 / 9.1 / current : telnet client (SSA:2005-210-01)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2005-210-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19857);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:20");
    
      script_cve_id("CVE-2005-0468", "CVE-2005-0469");
      script_xref(name:"SSA", value:"2005-210-01");
    
      script_name(english:"Slackware 10.0 / 10.1 / 8.1 / 9.0 / 9.1 / current : telnet client (SSA:2005-210-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New tcpip packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
    10.1, and -current to fix a security issues with the telnet client.
    Overflows in the telnet client may lead to the execution of arbitrary
    code as the telnet user if the user connects to a malicious telnet
    server."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.425797
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c46ea4eb"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected tcpip package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:tcpip");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/07/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"8.1", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i386", pkgnum:"13b")) flag++;
    
    if (slackware_check(osver:"9.0", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i386", pkgnum:"16b")) flag++;
    
    if (slackware_check(osver:"9.1", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i486", pkgnum:"24b")) flag++;
    
    if (slackware_check(osver:"10.0", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i486", pkgnum:"29b")) flag++;
    
    if (slackware_check(osver:"10.1", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i486", pkgnum:"31b")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i486", pkgnum:"33")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-269.NASL
    descriptionUpdated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id18327
    published2005-05-19
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18327
    titleFedora Core 2 : krb5-1.3.6-4 (2005-269)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2005-269.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18327);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_cve_id("CVE-2005-0468", "CVE-2005-0469");
      script_xref(name:"FEDORA", value:"2005-269");
    
      script_name(english:"Fedora Core 2 : krb5-1.3.6-4 (2005-269)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated krb5 packages which fix two buffer overflow vulnerabilities in
    the included Kerberos-aware telnet client are now available.
    
    Kerberos is a networked authentication system which uses a trusted
    third-party (a KDC) to authenticate clients and servers to each other.
    
    The krb5-workstation package includes a Kerberos-aware telnet client.
    Two buffer overflow flaws were discovered in the way the telnet client
    handles messages from a server. An attacker may be able to execute
    arbitrary code on a victim's machine if the victim can be tricked into
    connecting to a malicious telnet server. The Common Vulnerabilities
    and Exposures project (cve.mitre.org) has assigned the names
    CVE-2005-0468 and CVE-2005-0469 to these issues.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2005-March/000813.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e8ee9d2e"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-workstation");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC2", reference:"krb5-debuginfo-1.3.6-4")) flag++;
    if (rpm_check(release:"FC2", reference:"krb5-devel-1.3.6-4")) flag++;
    if (rpm_check(release:"FC2", reference:"krb5-libs-1.3.6-4")) flag++;
    if (rpm_check(release:"FC2", reference:"krb5-server-1.3.6-4")) flag++;
    if (rpm_check(release:"FC2", reference:"krb5-workstation-1.3.6-4")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-debuginfo / krb5-devel / krb5-libs / krb5-server / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-274.NASL
    descriptionTwo buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id19642
    published2005-09-12
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19642
    titleFedora Core 3 : telnet-0.17-32.FC3.2 (2005-274)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2005-274.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19642);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_cve_id("CVE-2005-0468", "CVE-2005-0469");
      script_xref(name:"FEDORA", value:"2005-274");
    
      script_name(english:"Fedora Core 3 : telnet-0.17-32.FC3.2 (2005-274)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two buffer overflow flaws were discovered in the way the telnet client
    handles messages from a server. An attacker may be able to execute
    arbitrary code on a victim's machine if the victim can be tricked into
    connecting to a malicious telnet server. The Common Vulnerabilities
    and Exposures project (cve.mitre.org) has assigned the names
    CVE-2005-0468 and CVE-2005-0469 to these issues.
    
    Red Hat would like to thank iDEFENSE for their responsible disclosure
    of this issue.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2005-March/000818.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a6b97cae"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected telnet, telnet-debuginfo and / or telnet-server
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 3.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC3", reference:"telnet-0.17-32.FC3.2")) flag++;
    if (rpm_check(release:"FC3", reference:"telnet-debuginfo-0.17-32.FC3.2")) flag++;
    if (rpm_check(release:"FC3", reference:"telnet-server-0.17-32.FC3.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "telnet / telnet-debuginfo / telnet-server");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-277.NASL
    descriptionTwo buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id18330
    published2005-05-19
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18330
    titleFedora Core 2 : telnet-0.17-28.FC2.1 (2005-277)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2005-277.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18330);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_cve_id("CVE-2005-0468", "CVE-2005-0469");
      script_xref(name:"FEDORA", value:"2005-277");
    
      script_name(english:"Fedora Core 2 : telnet-0.17-28.FC2.1 (2005-277)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two buffer overflow flaws were discovered in the way the telnet client
    handles messages from a server. An attacker may be able to execute
    arbitrary code on a victim's machine if the victim can be tricked into
    connecting to a malicious telnet server. The Common Vulnerabilities
    and Exposures project (cve.mitre.org) has assigned the names
    CVE-2005-0468 and CVE-2005-0469 to these issues.
    
    Red Hat would like to thank iDEFENSE for their responsible disclosure
    of this issue.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2005-March/000822.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5bb4e6b7"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected telnet, telnet-debuginfo and / or telnet-server
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC2", reference:"telnet-0.17-28.FC2.1")) flag++;
    if (rpm_check(release:"FC2", reference:"telnet-debuginfo-0.17-28.FC2.1")) flag++;
    if (rpm_check(release:"FC2", reference:"telnet-server-0.17-28.FC2.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "telnet / telnet-debuginfo / telnet-server");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200504-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200504-04 (mit-krb5: Multiple buffer overflows in telnet client) A buffer overflow has been identified in the env_opt_add() function, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled telnet host, potentially executing arbitrary code with the permissions of the telnet user on the client. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id17978
    published2005-04-06
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17978
    titleGLSA-200504-04 : mit-krb5: Multiple buffer overflows in telnet client
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200504-04.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17978);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:42");
    
      script_cve_id("CVE-2005-0468", "CVE-2005-0469");
      script_xref(name:"GLSA", value:"200504-04");
    
      script_name(english:"GLSA-200504-04 : mit-krb5: Multiple buffer overflows in telnet client");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200504-04
    (mit-krb5: Multiple buffer overflows in telnet client)
    
        A buffer overflow has been identified in the env_opt_add()
        function, where a response requiring excessive escaping can cause a
        heap-based buffer overflow. Another issue has been identified in the
        slc_add_reply() function, where a large number of SLC commands can
        overflow a fixed size buffer.
      
    Impact :
    
        Successful exploitation would require a vulnerable user to connect
        to an attacker-controlled telnet host, potentially executing arbitrary
        code with the permissions of the telnet user on the client.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-001-telnet.txt
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?bf1e4bc6"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200504-04"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All mit-krb5 users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=app-crypt/mit-krb5-1.3.6-r2'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mit-krb5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/04/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/06");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-crypt/mit-krb5", unaffected:make_list("ge 1.3.6-r2"), vulnerable:make_list("lt 1.3.6-r2"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mit-krb5");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-270.NASL
    descriptionUpdated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id62255
    published2012-09-24
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62255
    titleFedora Core 3 : krb5-1.3.6-5 (2005-270)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2005-270.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(62255);
      script_version("1.8");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_cve_id("CVE-2005-0468", "CVE-2005-0469");
      script_xref(name:"FEDORA", value:"2005-270");
    
      script_name(english:"Fedora Core 3 : krb5-1.3.6-5 (2005-270)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated krb5 packages which fix two buffer overflow vulnerabilities in
    the included Kerberos-aware telnet client are now available.
    
    Kerberos is a networked authentication system which uses a trusted
    third-party (a KDC) to authenticate clients and servers to each other.
    
    The krb5-workstation package includes a Kerberos-aware telnet client.
    Two buffer overflow flaws were discovered in the way the telnet client
    handles messages from a server. An attacker may be able to execute
    arbitrary code on a victim's machine if the victim can be tricked into
    connecting to a malicious telnet server. The Common Vulnerabilities
    and Exposures project (cve.mitre.org) has assigned the names
    CVE-2005-0468 and CVE-2005-0469 to these issues.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2005-March/000814.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b879f067"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-workstation");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 3.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC3", reference:"krb5-debuginfo-1.3.6-5")) flag++;
    if (rpm_check(release:"FC3", reference:"krb5-devel-1.3.6-5")) flag++;
    if (rpm_check(release:"FC3", reference:"krb5-libs-1.3.6-5")) flag++;
    if (rpm_check(release:"FC3", reference:"krb5-server-1.3.6-5")) flag++;
    if (rpm_check(release:"FC3", reference:"krb5-workstation-1.3.6-5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-debuginfo / krb5-devel / krb5-libs / krb5-server / etc");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200504-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200504-01 (telnet-bsd: Multiple buffer overflows) A buffer overflow has been identified in the env_opt_add() function of telnet-bsd, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using telnet, potentially executing arbitrary code with the permissions of the telnet user. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id17675
    published2005-04-02
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17675
    titleGLSA-200504-01 : telnet-bsd: Multiple buffer overflows
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-224-1.NASL
    descriptionGael Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468) Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CVE-2005-0469) Daniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server. (CVE-2005-1175) Magnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package). (CVE-2005-1689) Please note that these packages are not officially supported by Ubuntu (they are in the
    last seen2020-06-01
    modified2020-06-02
    plugin id20767
    published2006-01-21
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20767
    titleUbuntu 4.10 / 5.04 : krb4, krb5 vulnerabilities (USN-224-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-731.NASL
    descriptionSeveral problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0468 Gael Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code. - CAN-2005-0469 Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.
    last seen2020-06-01
    modified2020-06-02
    plugin id18518
    published2005-06-17
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18518
    titleDebian DSA-731-1 : krb4 - buffer overflows
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-327.NASL
    descriptionUpdated telnet packages that fix two buffer overflow vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The telnet package provides a command line telnet client. The telnet-server package includes a telnet daemon, telnetd, that supports remote login to the host machine. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id17645
    published2005-03-29
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17645
    titleRHEL 2.1 / 3 / 4 : telnet (RHSA-2005:327)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-330.NASL
    descriptionUpdated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id17659
    published2005-03-30
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17659
    titleRHEL 2.1 / 3 / 4 : krb5 (RHSA-2005:330)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-330.NASL
    descriptionUpdated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id21803
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21803
    titleCentOS 3 : krb5 (CESA-2005:330)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-061.NASL
    descriptionTwo buffer overflow issues were discovered in the way telnet clients handle messages from a server. Because of these issues, an attacker may be able to execute arbitrary code on the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id17658
    published2005-03-30
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17658
    titleMandrake Linux Security Advisory : krb5 (MDKSA-2005:061)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200504-28.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200504-28 (Heimdal: Buffer overflow vulnerabilities) Buffer overflow vulnerabilities in the slc_add_reply() and env_opt_add() functions have been discovered by Gael Delalleau in the telnet client in Heimdal. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using the telnet client, potentially executing arbitrary code with the permissions of the user running the application. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id18159
    published2005-04-29
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18159
    titleGLSA-200504-28 : Heimdal: Buffer overflow vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-703.NASL
    descriptionSeveral problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0468 Gael Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code. - CAN-2005-0469 Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.
    last seen2020-06-01
    modified2020-06-02
    plugin id17674
    published2005-04-02
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17674
    titleDebian DSA-703-1 : krb5 - buffer overflows

Oval

accepted2013-04-29T04:20:57.484-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionHeap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
familyunix
idoval:org.mitre.oval:def:9640
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleHeap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
version27

Redhat

advisories
  • rhsa
    idRHSA-2005:327
  • rhsa
    idRHSA-2005:330
rpms
  • telnet-1:0.17-26.EL3.2
  • telnet-1:0.17-31.EL4.2
  • telnet-debuginfo-1:0.17-26.EL3.2
  • telnet-debuginfo-1:0.17-31.EL4.2
  • telnet-server-1:0.17-26.EL3.2
  • telnet-server-1:0.17-31.EL4.2
  • krb5-debuginfo-0:1.2.7-42
  • krb5-debuginfo-0:1.3.4-12
  • krb5-devel-0:1.2.7-42
  • krb5-devel-0:1.3.4-12
  • krb5-libs-0:1.2.7-42
  • krb5-libs-0:1.3.4-12
  • krb5-server-0:1.2.7-42
  • krb5-server-0:1.3.4-12
  • krb5-workstation-0:1.2.7-42
  • krb5-workstation-0:1.3.4-12

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.