Attackers could exploit two "serious" security holes in the Telnet program supplied with MIT Kerberos 5 to cause...
a buffer overflow and launch malicious code, the Massachusetts Institute of Technology's (MIT) Kerberos Team warned in an advisory.
The Telnet protocol allows virtual network terminals to be connected over the Internet and is incorporated into a variety of popular operating systems, from Sun Solaris and Red Hat Enterprise Linux to Apple's Mac OS X.
According to the Kerberos Team, "An attacker controlling or impersonating a Telnet server may execute arbitrary code with the privileges of the user running the Telnet client." The advisory lists fixes that are available.
The first problem is that the slc_add_reply() function in Telnet.c performs inadequate length checking. "By sending a carefully crafted telnet LINEMODE sub option string, a malicious Telnet server may cause a Telnet client to overflow a fixed-size data segment or BSS buffer and execute arbitrary code," the advisory said.
The second problem is that the env_opt_add() function in Telnet.c also performs inadequate length checking. "By sending a carefully crafted telnet NEW-ENVIRON sub option string, a malicious Telnet server may cause a Telnet client to overflow a heap buffer and execute arbitrary code," the advisory said.
The Kerberos team credited Reston, Va.-based security firm iDefense for "notifying us of these vulnerabilities and for providing useful feedback."
The two advisories iDefense issued on the vulnerabilities include a detailed list of the vendors and products affected, with links to their individual advisories. They include ALT Linux, Apple Mac OS X 10.3.8 and Mac OS X Server 10.3.8; the Openwall Project, Red Hat Enterprise Linux and Sun Solaris.
In its advisory, for example, Sun Microsystems recommended users of Solaris 7 through 10 work around the problem until it issues additional patches by removing the execute permissions from the Solaris telnet(1) utility.
Sun said there are no "predictable symptoms that would indicate the vulnerabilities have been exploited."
Because the vulnerabilities can be exploited remotely, Danish security firm Secunia has labeled them "moderately critical."