ID CVE-2005-0469
Summary Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.
References
Vulnerable Configurations
  • cpe:2.3:a:ncsa:telnet
    cpe:2.3:a:ncsa:telnet
CVSS
Base: 7.5 (as of 07-06-2005 - 20:32)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-697.NASL
    description Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 17639
    published 2005-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17639
    title Debian DSA-697-1 : netkit-telnet - buffer overflow
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-773.NASL
    description This advisory adds security support for the stable amd64 distribution. It covers all security updates since the release of sarge, which were missing updated packages for the not yet official amd64 port. Future security advisories will include updates for this port as well.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 57528
    published 2012-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57528
    title Debian DSA-773-1 : amd64 - several vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-224-1.NASL
    description Gael Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468) Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CVE-2005-0469) Daniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server. (CVE-2005-1175) Magnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package). (CVE-2005-1689) Please note that these packages are not officially supported by Ubuntu (they are in the 'universe' component of the archive). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20767
    published 2006-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20767
    title Ubuntu 4.10 / 5.04 : krb4, krb5 vulnerabilities (USN-224-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_B62C80C2B81A11DABEC500123FFE8333.NASL
    description A Project heimdal Security Advisory reports : The telnet client program in Heimdal has buffer overflows in the functions slc_add_reply() and env_opt_add(), which may lead to remote code execution. The telnetd server program in Heimdal has buffer overflows in the function getterminaltype, which may lead to remote code execution. The rshd server in Heimdal has a privilege escalation bug when storing forwarded credentials. The code allowes a user to overwrite a file with its credential cache, and get ownership of the file.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 21499
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21499
    title FreeBSD : heimdal -- Multiple vulnerabilities (b62c80c2-b81a-11da-bec5-00123ffe8333)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-765.NASL
    description Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. Heimdal, a free implementation of Kerberos 5, also contains such a client. This can lead to the execution of arbitrary code when connected to a malicious server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 19270
    published 2005-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19270
    title Debian DSA-765-1 : heimdal - buffer overflow
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200503-36.NASL
    description The remote host is affected by the vulnerability described in GLSA-200503-36 (netkit-telnetd: Buffer overflow) A buffer overflow has been identified in the slc_add_reply() function of netkit-telnetd client, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using telnet, potentially executing arbitrary code with the permissions of the telnet user. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 17666
    published 2005-04-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17666
    title GLSA-200503-36 : netkit-telnetd: Buffer overflow
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-101-1.NASL
    description A buffer overflow was discovered in the telnet client's handling of the LINEMODE suboptions. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CAN-2005-0469) Michal Zalewski discovered a Denial of Service vulnerability in the telnet server (telnetd). A remote attacker could cause the telnetd process to free an invalid pointer, which caused the server process to crash, leading to a denial of service (inetd will disable the service if telnetd crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user). Please note that the telnet server is not officially supported by Ubuntu, it is in the 'universe' component. (CAN-2004-0911). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20487
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20487
    title Ubuntu 4.10 : netkit-telnet vulnerabilities (USN-101-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-703.NASL
    description Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0468 Gael Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code. - CAN-2005-0469 Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 17674
    published 2005-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17674
    title Debian DSA-703-1 : krb5 - buffer overflows
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200504-04.NASL
    description The remote host is affected by the vulnerability described in GLSA-200504-04 (mit-krb5: Multiple buffer overflows in telnet client) A buffer overflow has been identified in the env_opt_add() function, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled telnet host, potentially executing arbitrary code with the permissions of the telnet user on the client. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 17978
    published 2005-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17978
    title GLSA-200504-04 : mit-krb5: Multiple buffer overflows in telnet client
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2005-210-01.NASL
    description New tcpip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issues with the telnet client. Overflows in the telnet client may lead to the execution of arbitrary code as the telnet user if the user connects to a malicious telnet server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 19857
    published 2005-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19857
    title Slackware 10.0 / 10.1 / 8.1 / 9.0 / 9.1 / current : telnet client (SSA:2005-210-01)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200504-28.NASL
    description The remote host is affected by the vulnerability described in GLSA-200504-28 (Heimdal: Buffer overflow vulnerabilities) Buffer overflow vulnerabilities in the slc_add_reply() and env_opt_add() functions have been discovered by Gael Delalleau in the telnet client in Heimdal. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using the telnet client, potentially executing arbitrary code with the permissions of the user running the application. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 18159
    published 2005-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18159
    title GLSA-200504-28 : Heimdal: Buffer overflow vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-330.NASL
    description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Users of krb5 should update to these erratum packages which contain a backported patch to correct this issue. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17659
    published 2005-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17659
    title RHEL 2.1 / 3 / 4 : krb5 (RHSA-2005:330)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-270.NASL
    description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 62255
    published 2012-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62255
    title Fedora Core 3 : krb5-1.3.6-5 (2005-270)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-330.NASL
    description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Users of krb5 should update to these erratum packages which contain a backported patch to correct this issue. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21803
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21803
    title CentOS 3 : krb5 (CESA-2005:330)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-699.NASL
    description Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 17641
    published 2005-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17641
    title Debian DSA-699-1 : netkit-telnet-ssl - buffer overflow
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-061.NASL
    description Two buffer overflow issues were discovered in the way telnet clients handle messages from a server. Because of these issues, an attacker may be able to execute arbitrary code on the victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Kerberos package contains a telnet client and is patched to deal with these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 17658
    published 2005-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17658
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2005:061)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-327.NASL
    description Updated telnet packages that fix two buffer overflow vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The telnet package provides a command line telnet client. The telnet-server package includes a telnet daemon, telnetd, that supports remote login to the host machine. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Additionally, the following bugs have been fixed in these erratum packages for Red Hat Enterprise Linux 2.1 and Red Hat Enterprise Linux 3 : - telnetd could loop on an error in the child side process - There was a race condition in telnetd on a wtmp lock on some occasions - The command line in the process table was sometimes too long and caused bad output from the ps command - The 8-bit binary option was not working Users of telnet should upgrade to this updated package, which contains backported patches to correct these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17645
    published 2005-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17645
    title RHEL 2.1 / 3 / 4 : telnet (RHSA-2005:327)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-731.NASL
    description Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0468 Gael Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code. - CAN-2005-0469 Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 18518
    published 2005-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18518
    title Debian DSA-731-1 : krb4 - buffer overflows
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200504-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-200504-01 (telnet-bsd: Multiple buffer overflows) A buffer overflow has been identified in the env_opt_add() function of telnet-bsd, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. Impact : Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using telnet, potentially executing arbitrary code with the permissions of the telnet user. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 17675
    published 2005-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17675
    title GLSA-200504-01 : telnet-bsd: Multiple buffer overflows
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-274.NASL
    description Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 19642
    published 2005-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19642
    title Fedora Core 3 : telnet-0.17-32.FC3.2 (2005-274)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-269.NASL
    description Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available. Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18327
    published 2005-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18327
    title Fedora Core 2 : krb5-1.3.6-4 (2005-269)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-277.NASL
    description Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18330
    published 2005-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18330
    title Fedora Core 2 : telnet-0.17-28.FC2.1 (2005-277)
oval via4
accepted 2013-04-29T04:21:29.965-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.
family unix
id oval:org.mitre.oval:def:9708
status accepted
submitted 2010-07-09T03:56:16-04:00
title Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2005:327
  • rhsa
    id RHSA-2005:330
refmap via4
bid 12918
cert-vn VU#291924
confirm http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
debian
  • DSA-697
  • DSA-699
  • DSA-703
  • DSA-731
freebsd FreeBSD-SA-05:01.telnet
gentoo GLSA-200503-36
idefense 20050328 Multiple Telnet Client slc_add_reply() Buffer Overflow Vulnerability
mandrake MDKSA-2005:061
secunia
  • 14745
  • 17899
sgi 20050405-01-P
sunalert
  • 101665
  • 101671
  • 57755
  • 57761
ubuntu USN-224-1
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 21-08-2010 - 00:26
Published 02-05-2005 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top