ID CVE-2005-0468
Summary Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
References
Vulnerable Configurations
  • cpe:2.3:a:ncsa:telnet:c
    cpe:2.3:a:ncsa:telnet:c
CVSS
Base: 7.5 (as of 07-06-2005 - 15:06)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability. CVE-2005-0468. Dos exploit for linux platform
id EDB-ID:25303
last seen 2016-02-03
modified 2005-03-28
published 2005-03-28
reporter Gael Delalleau
source https://www.exploit-db.com/download/25303/
title Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-224-1.NASL
    description Gael Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468) Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CVE-2005-0469) Daniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server. (CVE-2005-1175) Magnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package). (CVE-2005-1689) Please note that these packages are not officially supported by Ubuntu (they are in the 'universe' component of the archive). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20767
    published 2006-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20767
    title Ubuntu 4.10 / 5.04 : krb4, krb5 vulnerabilities (USN-224-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-703.NASL
    description Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0468 Gael Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code. - CAN-2005-0469 Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 17674
    published 2005-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17674
    title Debian DSA-703-1 : krb5 - buffer overflows
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200504-04.NASL
    description The remote host is affected by the vulnerability described in GLSA-200504-04 (mit-krb5: Multiple buffer overflows in telnet client) A buffer overflow has been identified in the env_opt_add() function, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled telnet host, potentially executing arbitrary code with the permissions of the telnet user on the client. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 17978
    published 2005-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17978
    title GLSA-200504-04 : mit-krb5: Multiple buffer overflows in telnet client
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2005-210-01.NASL
    description New tcpip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issues with the telnet client. Overflows in the telnet client may lead to the execution of arbitrary code as the telnet user if the user connects to a malicious telnet server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 19857
    published 2005-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19857
    title Slackware 10.0 / 10.1 / 8.1 / 9.0 / 9.1 / current : telnet client (SSA:2005-210-01)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200504-28.NASL
    description The remote host is affected by the vulnerability described in GLSA-200504-28 (Heimdal: Buffer overflow vulnerabilities) Buffer overflow vulnerabilities in the slc_add_reply() and env_opt_add() functions have been discovered by Gael Delalleau in the telnet client in Heimdal. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using the telnet client, potentially executing arbitrary code with the permissions of the user running the application. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 18159
    published 2005-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18159
    title GLSA-200504-28 : Heimdal: Buffer overflow vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-330.NASL
    description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Users of krb5 should update to these erratum packages which contain a backported patch to correct this issue. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17659
    published 2005-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17659
    title RHEL 2.1 / 3 / 4 : krb5 (RHSA-2005:330)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-270.NASL
    description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 62255
    published 2012-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62255
    title Fedora Core 3 : krb5-1.3.6-5 (2005-270)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-330.NASL
    description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Users of krb5 should update to these erratum packages which contain a backported patch to correct this issue. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21803
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21803
    title CentOS 3 : krb5 (CESA-2005:330)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-061.NASL
    description Two buffer overflow issues were discovered in the way telnet clients handle messages from a server. Because of these issues, an attacker may be able to execute arbitrary code on the victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Kerberos package contains a telnet client and is patched to deal with these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 17658
    published 2005-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17658
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2005:061)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-327.NASL
    description Updated telnet packages that fix two buffer overflow vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The telnet package provides a command line telnet client. The telnet-server package includes a telnet daemon, telnetd, that supports remote login to the host machine. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Additionally, the following bugs have been fixed in these erratum packages for Red Hat Enterprise Linux 2.1 and Red Hat Enterprise Linux 3 : - telnetd could loop on an error in the child side process - There was a race condition in telnetd on a wtmp lock on some occasions - The command line in the process table was sometimes too long and caused bad output from the ps command - The 8-bit binary option was not working Users of telnet should upgrade to this updated package, which contains backported patches to correct these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17645
    published 2005-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17645
    title RHEL 2.1 / 3 / 4 : telnet (RHSA-2005:327)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-731.NASL
    description Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0468 Gael Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code. - CAN-2005-0469 Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 18518
    published 2005-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18518
    title Debian DSA-731-1 : krb4 - buffer overflows
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200504-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-200504-01 (telnet-bsd: Multiple buffer overflows) A buffer overflow has been identified in the env_opt_add() function of telnet-bsd, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using telnet, potentially executing arbitrary code with the permissions of the telnet user. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 17675
    published 2005-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17675
    title GLSA-200504-01 : telnet-bsd: Multiple buffer overflows
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-274.NASL
    description Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 19642
    published 2005-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19642
    title Fedora Core 3 : telnet-0.17-32.FC3.2 (2005-274)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-269.NASL
    description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18327
    published 2005-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18327
    title Fedora Core 2 : krb5-1.3.6-4 (2005-269)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-277.NASL
    description Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18330
    published 2005-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18330
    title Fedora Core 2 : telnet-0.17-28.FC2.1 (2005-277)
oval via4
accepted 2013-04-29T04:20:57.484-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
family unix
id oval:org.mitre.oval:def:9640
status accepted
submitted 2010-07-09T03:56:16-04:00
title Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2005:327
  • rhsa
    id RHSA-2005:330
refmap via4
bid 12919
cert-vn VU#341908
conectiva CLA-2005:962
confirm http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
debian
  • DSA-703
  • DSA-731
freebsd FreeBSD-SA-05:01.telnet
idefense 20050328 Multiple Telnet Client env_opt_add() Buffer Overflow Vulnerability
mandrake MDKSA-2005:061
secunia
  • 14745
  • 17899
sgi 20050405-01-P
sunalert
  • 101665
  • 101671
  • 57755
  • 57761
ubuntu USN-224-1
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 21-08-2010 - 00:26
Published 02-05-2005 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top