'Serious' security holes in Kerberos Telnet client

By Bill Brenner, News Writer 29 Mar 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Attackers could exploit two "serious" security holes in the Telnet program supplied with MIT Kerberos 5 to cause a buffer overflow and launch malicious code, the Massachusetts Institute of Technology's (MIT) Kerberos Team warned in an advisory.

The Telnet protocol allows virtual network terminals to be connected over the Internet and is incorporated into a variety of popular operating systems, from Sun Solaris and Red Hat Enterprise Linux to Apple's Mac OS X.

According to the Kerberos Team, "An attacker controlling or impersonating a Telnet server may execute arbitrary code with the privileges of the user running the Telnet client." The advisory lists fixes that are available.

The first problem is that the slc_add_reply() function in Telnet.c performs inadequate length checking. "By sending a carefully crafted telnet LINEMODE sub option string, a malicious Telnet server may cause a Telnet client to overflow a fixed-size data segment or BSS buffer and execute arbitrary code," the advisory said.

Related links Other fixes workarounds for Kerberos 5 vulnerabilities Is paying for vulnerability information the right approach?

The second problem is that the env_opt_add() function in Telnet.c also performs inadequate length checking. "By sending a carefully crafted telnet NEW-ENVIRON sub option string, a malicious Telnet server may cause a Telnet client to overflow a heap buffer and execute arbitrary code," the advisory said.

The Kerberos team credited Reston, Va.-based security firm iDefense for "notifying us of these vulnerabilities and for providing useful feedback."

The two advisories iDefense issued on the vulnerabilities include a detailed list of the vendors and products affected, with links to their individual advisories. They include ALT Linux, Apple Mac OS X 10.3.8 and Mac OS X Server 10.3.8; the Openwall Project, Red Hat Enterprise Linux and Sun Solaris.

In its advisory, for example, Sun Microsystems recommended users of Solaris 7 through 10 work around the problem until it issues additional patches by removing the execute permissions from the Solaris telnet(1) utility.

Sun said there are no "predictable symptoms that would indicate the vulnerabilities have been exploited."

Because the vulnerabilities can be exploited remotely, Danish security firm Secunia has labeled them "moderately critical."

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary