iDEFENSE reports of a buffer overflow when handling LINEMODE and large number of SLC commands.
Created attachment 52319 [details, diff] telnet-bsd-1.1-slc-env-overflow.diff
There are three issues : - Information Disclosure Vulnerability (B4, could even be considered shallow) - slc_add_reply() Buffer Overflow (B2) - env_opt_add() Buffer Overflow (B2)
[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow Vulnerability Disclosure Date: March 28, 2005 CVE: CAN-2005-0469 [IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow Vulnerability Disclosure Date: March 28, 2005 CVE: CAN-2005-0468
does the patch in comment #1 cover all three issues ? where did the patch come from ?
It's only for the slc overflow issue and provided by Sebastian Krahmer from SUSE.
Created attachment 52622 [details, diff] telnet-slc.patch FreeBSD patch.
Patch for - Information Disclosure Vulnerability, pointed out by Solar Designer. http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/telnet/ (the relevant file is telnet-3.0-rh-env.diff), -- or in Red Hat's .src.rpm indeed, against the NetKit telnet.
In my understanding telnet-bsd-1.1-slc-env-overflow.diff is a patch for both slc_add_reply() and env_opt_add() overflows.
Created attachment 54257 [details, diff] CAN-2005-468_469.patch RedHat patch
Solar, vapier please advise and attach updated ebuilds to this bug. And Koon is right in comment #8. Also note that the information disclosure issue is still embargoed until April 25:-/
hey I looked this over brielfly (10-12 mins) when this bug first mentioned netkit-* and to be honest I think our netkit-telentd is clean. I would hate to say it's clean and be wrong thus screwing up your security comfort level so please double check my findings. compare *-bsd.patch to whats in cvs ~arch now. Tavis Ormandy your reviewing eyes please.
I've constructed a testcase from the idefense details for the env_opt_add()overflow, this should crash a vulnerable client: $ perl -e 'print "\xff\xfd\x27\xff\xfa\x27\x01\x03","\x01"x"128","\xff\xf0"' | nc -lp 1025 & $ telnet localhost 1025 It does look exploitable. env_opt_add(): bsd-telnet: vulnerable netkit-telnet: unaffected i've seen a testcase for the slc_add_reply vulnerability, but it doesnt wfm. I'll look into it further and create one suitable for our packages.
Disclosure date for the Information Disclosure Vulnerability is April 25, 2005 Ubuntu published their advisory on the two buffer overflows for netkit-telnet: http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032923.html I'll open up a new bug for telnet-bsd shortly.
The two telnet-bsd overflows are now public on bug #87019.
Disclosure date for the Information Disclosure Vulnerability is now June 14, 2005 @ 1pm EST:-/
testcase for the slc_add_reply() overflow by Solar Designer <solar at openwall.com>: perl -e 'print "\377", "\372\42\3\377\377\3\3" x 43, "\377\360"' | nc -l 23 No test box here atm, so I haven't checked our packages. Taviso?
I ran the solar designer test on netkit-telnet: apparently unaffected
Ok seems netkit-telnetd needed and got some love after all in ~arch. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 29 Mar 2005 11:10:01 +0200 Source: netkit-telnet Binary: telnetd telnet Architecture: source i386 Version: 0.17-28 Distribution: unstable Urgency: high Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org> Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org> Description: telnet - The telnet client telnetd - The telnet server Changes: netkit-telnet (0.17-28) unstable; urgency=high . * telnet/telnet.cc: Fixed buffer overflow in the handling of the LINEMODE suboptions in telnet clients (CAN-2005-0469). Thanks Martin 'Joey' Schulze for the patch. Files: e524a9c88fd2493f58445ae9e2690f39 601 net standard netkit-telnet_0.17-28.dsc 32dfff6939e2c3e0d5fa727440b4085d 25764 net standard netkit-telnet_0.17-28.diff.gz 95e3e22edb2832a2bef10eafecdbe140 64124 net standard telnet_0.17-28_i386.deb ccd5d36123dcb324857427869154dd3e 40992 net optional telnetd_0.17-28_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCSRyVxRSvjkukAcMRAv7fAJ0X/lTf4XLtJwzsJk2ECnGq6mWgwgCePC5M sIJVAEsr0Ain1xKsUCRwOWc= =62xg -----END PGP SIGNATURE----- netkit-telnetd-0.17-r6.ebuild added to the tree with -28 patch update from deb.
Handling netkit-telnetd buffer overflows on public bug #87211. This bug is now solely for the information disclosure.
Patch for the information disclosure thing, courtesy of Solar Designer / Openwall : http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/telnet/telnet-3.0-owl-env-export.diff?rev=HEAD;content-type=text%2Fplain
telnet clients already including the telnet-3.0-rh-env.diff (see comment #7) are probably safe, as the patch in previous comment replaced the old telnet-3.0-rh-env.diff.
Maintainers: solar > net-misc/netkit-telnetd vapier > net-misc/telnet-bsd seemant > app-crypt/heimdal, app-crypt/mit-krb5 Please determine if the remaining information-disclosure problem (to be disclosed Tuesday) needs to be fixed in your package(s) or if it is already done (see previous comment).
heimdal is fixed, because only 0.6.4 and up are in portage, which contain the patch from upstream. mit-krb5 is on 1.4.1 upstream which has the patch incorporated. our 1.4 of mit-krb5 gets patched during emerge anyway, but I'll add 1.4.1 into portage shortly. In summary: my packages (mit-krb5 and heimdal) are good to go.
net-misc/telnet-bsd 1.2 contains the fix, vapier please bump. net-misc/netkit-telnetd has no Debian patch yet.
Now public, see bug 96156 for followups *** This bug has been marked as a duplicate of 96156 ***
