'Serious' security holes in Kerberos Telnet client

Article

'Serious' security holes in Kerberos Telnet client

Attackers could exploit two "serious" security holes in the Telnet program supplied with MIT Kerberos 5 to cause a buffer overflow and launch malicious code, the Massachusetts Institute of Technology's (MIT) Kerberos Team warned in an advisory.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The Telnet protocol allows virtual network terminals to be connected over the Internet and is incorporated into a variety of popular operating systems, from Sun Solaris and Red Hat Enterprise Linux to Apple's Mac OS X.

According to the Kerberos Team, "An attacker controlling or impersonating a Telnet server may execute arbitrary code with the privileges of the user running the Telnet client." The advisory lists fixes that are available.

The first problem is that the slc_add_reply() function in Telnet.c performs inadequate length checking. "By sending a carefully crafted telnet LINEMODE sub option string, a malicious Telnet server may cause a Telnet client to overflow a fixed-size data segment or BSS buffer and execute arbitrary code," the advisory said.

Related links

Other fixes workarounds for Kerberos 5 vulnerabilities

Is paying for vulnerability information the right approach?

The second problem is that the env_opt_add() function in Telnet.c also performs inadequate length checking. "By sending a carefully crafted telnet NEW-ENVIRON sub option string, a malicious Telnet server may cause a Telnet client to overflow a heap buffer and execute arbitrary code," the advisory said.

The Kerberos team credited Reston, Va.-based security firm iDefense for "notifying us of these vulnerabilities and for providing useful feedback."

The two advisories iDefense issued on the vulnerabilities include a detailed list of the vendors and products affected, with links to their individual advisories. They include ALT Linux, Apple Mac OS X 10.3.8 and Mac OS X Server 10.3.8; the Openwall Project, Red Hat Enterprise Linux and Sun Solaris.

In its advisory, for example, Sun Microsystems recommended users of Solaris 7 through 10 work around the problem until it issues additional patches by removing the execute permissions from the Solaris telnet(1) utility.

Sun said there are no "predictable symptoms that would indicate the vulnerabilities have been exploited."

Because the vulnerabilities can be exploited remotely, Danish security firm Secunia has labeled them "moderately critical."