Vulnerabilities > CVE-2005-0468 - Buffer Overflow vulnerability in Ncsa Telnet C
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability. CVE-2005-0468. Dos exploit for linux platform |
| id | EDB-ID:25303 |
| last seen | 2016-02-03 |
| modified | 2005-03-28 |
| published | 2005-03-28 |
| reporter | Gael Delalleau |
| source | https://www.exploit-db.com/download/25303/ |
| title | Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability |
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2005-210-01.NASL description New tcpip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issues with the telnet client. Overflows in the telnet client may lead to the execution of arbitrary code as the telnet user if the user connects to a malicious telnet server. last seen 2020-06-01 modified 2020-06-02 plugin id 19857 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19857 title Slackware 10.0 / 10.1 / 8.1 / 9.0 / 9.1 / current : telnet client (SSA:2005-210-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2005-210-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(19857); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2005-0468", "CVE-2005-0469"); script_xref(name:"SSA", value:"2005-210-01"); script_name(english:"Slackware 10.0 / 10.1 / 8.1 / 9.0 / 9.1 / current : telnet client (SSA:2005-210-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New tcpip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issues with the telnet client. Overflows in the telnet client may lead to the execution of arbitrary code as the telnet user if the user connects to a malicious telnet server." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.425797 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c46ea4eb" ); script_set_attribute(attribute:"solution", value:"Update the affected tcpip package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:tcpip"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i386", pkgnum:"13b")) flag++; if (slackware_check(osver:"9.0", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i386", pkgnum:"16b")) flag++; if (slackware_check(osver:"9.1", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i486", pkgnum:"24b")) flag++; if (slackware_check(osver:"10.0", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i486", pkgnum:"29b")) flag++; if (slackware_check(osver:"10.1", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i486", pkgnum:"31b")) flag++; if (slackware_check(osver:"current", pkgname:"tcpip", pkgver:"0.17", pkgarch:"i486", pkgnum:"33")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2005-269.NASL description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim last seen 2020-06-01 modified 2020-06-02 plugin id 18327 published 2005-05-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18327 title Fedora Core 2 : krb5-1.3.6-4 (2005-269) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-269. # include("compat.inc"); if (description) { script_id(18327); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_cve_id("CVE-2005-0468", "CVE-2005-0469"); script_xref(name:"FEDORA", value:"2005-269"); script_name(english:"Fedora Core 2 : krb5-1.3.6-4 (2005-269)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-March/000813.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e8ee9d2e" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC2", reference:"krb5-debuginfo-1.3.6-4")) flag++; if (rpm_check(release:"FC2", reference:"krb5-devel-1.3.6-4")) flag++; if (rpm_check(release:"FC2", reference:"krb5-libs-1.3.6-4")) flag++; if (rpm_check(release:"FC2", reference:"krb5-server-1.3.6-4")) flag++; if (rpm_check(release:"FC2", reference:"krb5-workstation-1.3.6-4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-debuginfo / krb5-devel / krb5-libs / krb5-server / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2005-274.NASL description Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim last seen 2020-06-01 modified 2020-06-02 plugin id 19642 published 2005-09-12 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19642 title Fedora Core 3 : telnet-0.17-32.FC3.2 (2005-274) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-274. # include("compat.inc"); if (description) { script_id(19642); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_cve_id("CVE-2005-0468", "CVE-2005-0469"); script_xref(name:"FEDORA", value:"2005-274"); script_name(english:"Fedora Core 3 : telnet-0.17-32.FC3.2 (2005-274)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-March/000818.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a6b97cae" ); script_set_attribute( attribute:"solution", value: "Update the affected telnet, telnet-debuginfo and / or telnet-server packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:3"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 3.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC3", reference:"telnet-0.17-32.FC3.2")) flag++; if (rpm_check(release:"FC3", reference:"telnet-debuginfo-0.17-32.FC3.2")) flag++; if (rpm_check(release:"FC3", reference:"telnet-server-0.17-32.FC3.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "telnet / telnet-debuginfo / telnet-server"); }NASL family Fedora Local Security Checks NASL id FEDORA_2005-277.NASL description Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim last seen 2020-06-01 modified 2020-06-02 plugin id 18330 published 2005-05-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18330 title Fedora Core 2 : telnet-0.17-28.FC2.1 (2005-277) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-277. # include("compat.inc"); if (description) { script_id(18330); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_cve_id("CVE-2005-0468", "CVE-2005-0469"); script_xref(name:"FEDORA", value:"2005-277"); script_name(english:"Fedora Core 2 : telnet-0.17-28.FC2.1 (2005-277)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-March/000822.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5bb4e6b7" ); script_set_attribute( attribute:"solution", value: "Update the affected telnet, telnet-debuginfo and / or telnet-server packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:telnet-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC2", reference:"telnet-0.17-28.FC2.1")) flag++; if (rpm_check(release:"FC2", reference:"telnet-debuginfo-0.17-28.FC2.1")) flag++; if (rpm_check(release:"FC2", reference:"telnet-server-0.17-28.FC2.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "telnet / telnet-debuginfo / telnet-server"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200504-04.NASL description The remote host is affected by the vulnerability described in GLSA-200504-04 (mit-krb5: Multiple buffer overflows in telnet client) A buffer overflow has been identified in the env_opt_add() function, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled telnet host, potentially executing arbitrary code with the permissions of the telnet user on the client. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 17978 published 2005-04-06 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17978 title GLSA-200504-04 : mit-krb5: Multiple buffer overflows in telnet client code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200504-04. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(17978); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-0468", "CVE-2005-0469"); script_xref(name:"GLSA", value:"200504-04"); script_name(english:"GLSA-200504-04 : mit-krb5: Multiple buffer overflows in telnet client"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200504-04 (mit-krb5: Multiple buffer overflows in telnet client) A buffer overflow has been identified in the env_opt_add() function, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled telnet host, potentially executing arbitrary code with the permissions of the telnet user on the client. Workaround : There is no known workaround at this time." ); # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-001-telnet.txt script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bf1e4bc6" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200504-04" ); script_set_attribute( attribute:"solution", value: "All mit-krb5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-crypt/mit-krb5-1.3.6-r2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mit-krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/06"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-crypt/mit-krb5", unaffected:make_list("ge 1.3.6-r2"), vulnerable:make_list("lt 1.3.6-r2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mit-krb5"); }NASL family Fedora Local Security Checks NASL id FEDORA_2005-270.NASL description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim last seen 2020-06-01 modified 2020-06-02 plugin id 62255 published 2012-09-24 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62255 title Fedora Core 3 : krb5-1.3.6-5 (2005-270) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-270. # include("compat.inc"); if (description) { script_id(62255); script_version("1.8"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_cve_id("CVE-2005-0468", "CVE-2005-0469"); script_xref(name:"FEDORA", value:"2005-270"); script_name(english:"Fedora Core 3 : krb5-1.3.6-5 (2005-270)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-March/000814.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b879f067" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:3"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 3.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC3", reference:"krb5-debuginfo-1.3.6-5")) flag++; if (rpm_check(release:"FC3", reference:"krb5-devel-1.3.6-5")) flag++; if (rpm_check(release:"FC3", reference:"krb5-libs-1.3.6-5")) flag++; if (rpm_check(release:"FC3", reference:"krb5-server-1.3.6-5")) flag++; if (rpm_check(release:"FC3", reference:"krb5-workstation-1.3.6-5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-debuginfo / krb5-devel / krb5-libs / krb5-server / etc"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200504-01.NASL description The remote host is affected by the vulnerability described in GLSA-200504-01 (telnet-bsd: Multiple buffer overflows) A buffer overflow has been identified in the env_opt_add() function of telnet-bsd, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using telnet, potentially executing arbitrary code with the permissions of the telnet user. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 17675 published 2005-04-02 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17675 title GLSA-200504-01 : telnet-bsd: Multiple buffer overflows NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-224-1.NASL description Gael Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468) Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CVE-2005-0469) Daniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server. (CVE-2005-1175) Magnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package). (CVE-2005-1689) Please note that these packages are not officially supported by Ubuntu (they are in the last seen 2020-06-01 modified 2020-06-02 plugin id 20767 published 2006-01-21 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20767 title Ubuntu 4.10 / 5.04 : krb4, krb5 vulnerabilities (USN-224-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-731.NASL description Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0468 Gael Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code. - CAN-2005-0469 Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server. last seen 2020-06-01 modified 2020-06-02 plugin id 18518 published 2005-06-17 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18518 title Debian DSA-731-1 : krb4 - buffer overflows NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-327.NASL description Updated telnet packages that fix two buffer overflow vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The telnet package provides a command line telnet client. The telnet-server package includes a telnet daemon, telnetd, that supports remote login to the host machine. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim last seen 2020-06-01 modified 2020-06-02 plugin id 17645 published 2005-03-29 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17645 title RHEL 2.1 / 3 / 4 : telnet (RHSA-2005:327) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-330.NASL description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim last seen 2020-06-01 modified 2020-06-02 plugin id 17659 published 2005-03-30 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17659 title RHEL 2.1 / 3 / 4 : krb5 (RHSA-2005:330) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-330.NASL description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim last seen 2020-06-01 modified 2020-06-02 plugin id 21803 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21803 title CentOS 3 : krb5 (CESA-2005:330) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-061.NASL description Two buffer overflow issues were discovered in the way telnet clients handle messages from a server. Because of these issues, an attacker may be able to execute arbitrary code on the victim last seen 2020-06-01 modified 2020-06-02 plugin id 17658 published 2005-03-30 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17658 title Mandrake Linux Security Advisory : krb5 (MDKSA-2005:061) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200504-28.NASL description The remote host is affected by the vulnerability described in GLSA-200504-28 (Heimdal: Buffer overflow vulnerabilities) Buffer overflow vulnerabilities in the slc_add_reply() and env_opt_add() functions have been discovered by Gael Delalleau in the telnet client in Heimdal. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using the telnet client, potentially executing arbitrary code with the permissions of the user running the application. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 18159 published 2005-04-29 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18159 title GLSA-200504-28 : Heimdal: Buffer overflow vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-703.NASL description Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0468 Gael Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code. - CAN-2005-0469 Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server. last seen 2020-06-01 modified 2020-06-02 plugin id 17674 published 2005-04-02 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17674 title Debian DSA-703-1 : krb5 - buffer overflows
Oval
| accepted | 2013-04-29T04:20:57.484-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:9640 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated. | ||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
- ftp://patches.sgi.com/support/free/security/advisories/20050405-01-P
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000962
- http://secunia.com/advisories/14745
- http://secunia.com/advisories/17899
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101665-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101671-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
- http://www.debian.de/security/2005/dsa-731
- http://www.debian.org/security/2005/dsa-703
- http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
- http://www.kb.cert.org/vuls/id/341908
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:061
- http://www.redhat.com/support/errata/RHSA-2005-327.html
- http://www.redhat.com/support/errata/RHSA-2005-330.html
- http://www.securityfocus.com/bid/12919
- http://www.ubuntulinux.org/usn/usn-224-1
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9640