Article

'Serious' security holes in Kerberos Telnet client

Bill Brenner

Attackers could exploit two "serious" security holes in the Telnet program supplied with MIT Kerberos 5 to cause a buffer overflow and launch malicious code, the Massachusetts Institute of Technology's (MIT) Kerberos Team warned in an advisory.

    Requires Free Membership to View

The Telnet protocol allows virtual network terminals to be connected over the Internet and is incorporated into a variety of popular operating systems, from Sun Solaris and Red Hat Enterprise Linux to Apple's Mac OS X.

According to the Kerberos Team, "An attacker controlling or impersonating a Telnet server may execute arbitrary code with the privileges of the user running the Telnet client." The advisory lists fixes that are available.

The first problem is that the slc_add_reply() function in Telnet.c performs inadequate length checking. "By sending a carefully crafted telnet LINEMODE sub option string, a malicious Telnet server may cause a Telnet client to overflow a fixed-size data segment or BSS buffer and execute arbitrary code," the advisory said.

Related links

Other fixes workarounds for Kerberos 5 vulnerabilities

Is paying for vulnerability information the right approach?

The second problem is that the env_opt_add() function in Telnet.c also performs inadequate length checking. "By sending a carefully crafted telnet NEW-ENVIRON sub option string, a malicious Telnet server may cause a Telnet client to overflow a heap buffer and execute arbitrary code," the advisory said.

The Kerberos team credited Reston, Va.-based security firm iDefense for "notifying us of these vulnerabilities and for providing useful feedback."

The two advisories iDefense issued on the vulnerabilities include a detailed list of the vendors and products affected, with links to their individual advisories. They include ALT Linux, Apple Mac OS X 10.3.8 and Mac OS X Server 10.3.8; the Openwall Project, Red Hat Enterprise Linux and Sun Solaris.

In its advisory, for example, Sun Microsystems recommended users of Solaris 7 through 10 work around the problem until it issues additional patches by removing the execute permissions from the Solaris telnet(1) utility.

Sun said there are no "predictable symptoms that would indicate the vulnerabilities have been exploited."

Because the vulnerabilities can be exploited remotely, Danish security firm Secunia has labeled them "moderately critical."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: