Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 97103

Summary: net-misc/netkit-telnetd information disclosure (CAN-2005-0488)
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
URL: http://www.idefense.com/application/poi/display?id=260&type=vulnerabilities
Whiteboard: B4 [upstream]
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2005-06-26 03:54:40 UTC 
netkit-telnetd /might/ be affected, apparently there is no Debian patchset for this (small) vulnerability yet :

=============
Multiple Vendor Telnet Client Information Disclosure Vulnerability

iDEFENSE Security Advisory 06.14.05
www.idefense.com/application/poi/display?id=260&type=vulnerabilities
June 14, 2005

I. BACKGROUND

The TELNET protocol allows virtual network terminals to be connected to 
over the internet. The initial description of the telnet protocol was 
given in RFC854 in May 1983. Since then there have been many extra 
features added including encryption. 

II. DESCRIPTION

Remote exploitation of an input validation error in multiple telnet 
clients could allow an attacker to gain sensitive information about the 
victim's system.

The vulnerability specifically exists in the handling of the NEW-ENVIRON 
command.

In order to exploit this vulnerability, a malicious server can send a 
connected client the following telnet command:

SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE

Vulnerable telnet clients will send the contents of the reference 
environment variable, which may contain information useful to an 
attacker. The expected behavior would be only to send environment 
variables related directly to the operation of the telnet client (for 
example, TERM), or those specifically allowed by the user.
=============================
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-06-26 03:56:57 UTC 
solar: could you have a look and confirm that we are indeed affected ? Maybe the
Debian patchset already includes the old RH patch...
Comment 2 solar (RETIRED) gentoo-dev 2005-06-26 20:38:27 UTC 
I expect to be a little busy most of the week. If anybody else can take a peek
that would be great.

Being that we base our netkit on debs package and Ubuntu is based on deb we are
probably ok. But I can't confirm right away.

- Ubuntu
Ubuntu supports and ships netkit-telnet, which has been patched to not
disclose arbitrary environment variables for a long time now. The krb5
version is also available in the archive, however, it is unsupported and
there will not be an official advisory for it. It will most likely be
fixed by the community.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-30 09:03:17 UTC 
AFAICT the info disclosure already fixed in that package.