Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 85461 - app-crypt/mit-krb5 buffer overflow in telnet client (Vendor-Sec)
Summary: app-crypt/mit-krb5 buffer overflow in telnet client (Vendor-Sec)
Status: RESOLVED DUPLICATE of bug 87145
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: [] jaervosz CLASSIFIED
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-15 22:52 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2008-11-05 08:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-15 22:52:43 UTC
The MIT Kerberos Team has been informed by iDEFENSE of multiple buffer
overflows in the telnet client program shipped in the MIT krb5
distribution.  iDEFENSE has set the date of March 28, 2005 for
disclosure.  The draft advisory and preliminary patch are included.

Please let me know if you have any comments on the draft advisory.

DRAFT - DO NOT PUBLISH

                 MIT krb5 Security Advisory 2005-001

Original release:

Topic: Buffer overflows in telnet client

Severity: serious

SUMMARY
=======

The telnet client program supplied with MIT Kerberos 5 has buffer
overflows in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.

IMPACT
======

An attacker controlling or impersonating a telnet server may execute
arbitrary code with the privileges of the user running the telnet
client.  The attacker would need to convince the user to connect to a
malicious server, perhaps by automatically launching the client from a
web page.  Additional user interaction may not be required if the
attacker can get the user to view HTML containing an IFRAME tag
containing a "telnet:" URL pointing to a malicious server.

AFFECTED SOFTWARE
=================

* telnet client programs included with the MIT Kerberos 5
  implementation, up to and including release krb5-1.4.

* Other telnet client programs derived from the BSD telnet
  implementation may be vulnerable.

FIXES
=====

Workaround: Disable handling of "telnet:" URLs in web browsers, email
readers, etc.

Patches are in development.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow
Vulnerability

CVE: CAN-2005-0469

[IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow
Vulnerability

CVE: CAN-2005-0468

ACKNOWLEDGMENTS
===============

Thanks to iDEFENSE for notifying us of these vulnerabilities.

DETAILS
=======

The slc_add_reply() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet LINEMODE suboption
string, a malicious telnet server may cause a telnet client to
overflow a fixed-size data segment or BSS buffer and execute arbitrary
code.

The env_opt_add() function in telnet.c performs inadequate length
checking.  By sending a carefully crafted telnet NEW-ENVIRON suboption
string, a malicious telnet server may cause a telnet client to
overflow a heap buffer and execute arbitrary code.

REVISION HISTORY
================

Copyright (C) 2005 Massachusetts Institute of Technology

Index: telnet.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/appl/telnet/telnet/telnet.c,v
retrieving revision 5.18
diff -c -r5.18 telnet.c
*** telnet.c    15 Nov 2002 20:21:35 -0000      5.18
--- telnet.c    15 Mar 2005 18:59:32 -0000
***************
*** 1475,1480 ****
--- 1475,1482 ----
        unsigned char flags;
        cc_t value;
  {
+       if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
+               return;
        if ((*slc_replyp++ = func) == IAC)
                *slc_replyp++ = IAC;
        if ((*slc_replyp++ = flags) == IAC)
***************
*** 1488,1498 ****
  {
      register int len;

-     *slc_replyp++ = IAC;
-     *slc_replyp++ = SE;
      len = slc_replyp - slc_reply;
!     if (len <= 6)
        return;
      if (NETROOM() > len) {
        ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
        printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
--- 1490,1501 ----
  {
      register int len;

      len = slc_replyp - slc_reply;
!     if (len <= 4 || (len + 2 > sizeof(slc_reply)))
        return;
+     *slc_replyp++ = IAC;
+     *slc_replyp++ = SE;
+     len += 2;
      if (NETROOM() > len) {
        ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
        printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
***************
*** 1645,1650 ****
--- 1648,1654 ----
        register unsigned char *ep;
  {
        register unsigned char *vp, c;
+       unsigned int len, olen, elen;

        if (opt_reply == NULL)          /*XXX*/
                return;                 /*XXX*/
***************
*** 1662,1680 ****
                return;
        }
        vp = env_getvalue(ep);
!       if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
!                               strlen((char *)ep) + 6 > opt_replyend)
        {
!               register unsigned int len;
!               opt_replyend += OPT_REPLY_SIZE;
!               len = opt_replyend - opt_reply;
                opt_reply = (unsigned char *)realloc(opt_reply, len);
                if (opt_reply == NULL) {
  /*@*/                 printf("env_opt_add: realloc() failed!!!\n");
                        opt_reply = opt_replyp = opt_replyend = NULL;
                        return;
                }
!               opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
                opt_replyend = opt_reply + len;
        }
        if (opt_welldefined((char *) ep))
--- 1666,1684 ----
                return;
        }
        vp = env_getvalue(ep);
!       elen = 2 * (vp ? strlen((char *)vp) : 0) +
!               2 * strlen((char *)ep) + 6;
!       if ((opt_replyend - opt_replyp) < elen)
        {
!               len = opt_replyend - opt_reply + elen;
!               olen = opt_replyp - opt_reply;
                opt_reply = (unsigned char *)realloc(opt_reply, len);
                if (opt_reply == NULL) {
  /*@*/                 printf("env_opt_add: realloc() failed!!!\n");
                        opt_reply = opt_replyp = opt_replyend = NULL;
                        return;
                }
!               opt_replyp = opt_reply + olen;
                opt_replyend = opt_reply + len;
        }
        if (opt_welldefined((char *) ep))
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-03-16 01:06:22 UTC
It's a dupe from bug 83596
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-25 07:00:54 UTC
rphillips, please attach an updated ebuild to this bug. Do not commit anything yet.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-28 11:11:37 UTC
vapier/solar could you look into this?
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-29 10:47:10 UTC
New public bug opened #87145. Keeping this restricted at the request of MIT.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-29 10:55:11 UTC

*** This bug has been marked as a duplicate of 87145 ***