The MIT Kerberos Team has been informed by iDEFENSE of multiple buffer overflows in the telnet client program shipped in the MIT krb5 distribution. iDEFENSE has set the date of March 28, 2005 for disclosure. The draft advisory and preliminary patch are included. Please let me know if you have any comments on the draft advisory. DRAFT - DO NOT PUBLISH MIT krb5 Security Advisory 2005-001 Original release: Topic: Buffer overflows in telnet client Severity: serious SUMMARY ======= The telnet client program supplied with MIT Kerberos 5 has buffer overflows in the functions slc_add_reply() and env_opt_add(), which may lead to remote code execution. IMPACT ====== An attacker controlling or impersonating a telnet server may execute arbitrary code with the privileges of the user running the telnet client. The attacker would need to convince the user to connect to a malicious server, perhaps by automatically launching the client from a web page. Additional user interaction may not be required if the attacker can get the user to view HTML containing an IFRAME tag containing a "telnet:" URL pointing to a malicious server. AFFECTED SOFTWARE ================= * telnet client programs included with the MIT Kerberos 5 implementation, up to and including release krb5-1.4. * Other telnet client programs derived from the BSD telnet implementation may be vulnerable. FIXES ===== Workaround: Disable handling of "telnet:" URLs in web browsers, email readers, etc. Patches are in development. REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html [IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow Vulnerability CVE: CAN-2005-0469 [IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow Vulnerability CVE: CAN-2005-0468 ACKNOWLEDGMENTS =============== Thanks to iDEFENSE for notifying us of these vulnerabilities. DETAILS ======= The slc_add_reply() function in telnet.c performs inadequate length checking. By sending a carefully crafted telnet LINEMODE suboption string, a malicious telnet server may cause a telnet client to overflow a fixed-size data segment or BSS buffer and execute arbitrary code. The env_opt_add() function in telnet.c performs inadequate length checking. By sending a carefully crafted telnet NEW-ENVIRON suboption string, a malicious telnet server may cause a telnet client to overflow a heap buffer and execute arbitrary code. REVISION HISTORY ================ Copyright (C) 2005 Massachusetts Institute of Technology Index: telnet.c =================================================================== RCS file: /cvs/krbdev/krb5/src/appl/telnet/telnet/telnet.c,v retrieving revision 5.18 diff -c -r5.18 telnet.c *** telnet.c 15 Nov 2002 20:21:35 -0000 5.18 --- telnet.c 15 Mar 2005 18:59:32 -0000 *************** *** 1475,1480 **** --- 1475,1482 ---- unsigned char flags; cc_t value; { + if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply)) + return; if ((*slc_replyp++ = func) == IAC) *slc_replyp++ = IAC; if ((*slc_replyp++ = flags) == IAC) *************** *** 1488,1498 **** { register int len; - *slc_replyp++ = IAC; - *slc_replyp++ = SE; len = slc_replyp - slc_reply; ! if (len <= 6) return; if (NETROOM() > len) { ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply); printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2); --- 1490,1501 ---- { register int len; len = slc_replyp - slc_reply; ! if (len <= 4 || (len + 2 > sizeof(slc_reply))) return; + *slc_replyp++ = IAC; + *slc_replyp++ = SE; + len += 2; if (NETROOM() > len) { ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply); printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2); *************** *** 1645,1650 **** --- 1648,1654 ---- register unsigned char *ep; { register unsigned char *vp, c; + unsigned int len, olen, elen; if (opt_reply == NULL) /*XXX*/ return; /*XXX*/ *************** *** 1662,1680 **** return; } vp = env_getvalue(ep); ! if (opt_replyp + (vp ? strlen((char *)vp) : 0) + ! strlen((char *)ep) + 6 > opt_replyend) { ! register unsigned int len; ! opt_replyend += OPT_REPLY_SIZE; ! len = opt_replyend - opt_reply; opt_reply = (unsigned char *)realloc(opt_reply, len); if (opt_reply == NULL) { /*@*/ printf("env_opt_add: realloc() failed!!!\n"); opt_reply = opt_replyp = opt_replyend = NULL; return; } ! opt_replyp = opt_reply + len - (opt_replyend - opt_replyp); opt_replyend = opt_reply + len; } if (opt_welldefined((char *) ep)) --- 1666,1684 ---- return; } vp = env_getvalue(ep); ! elen = 2 * (vp ? strlen((char *)vp) : 0) + ! 2 * strlen((char *)ep) + 6; ! if ((opt_replyend - opt_replyp) < elen) { ! len = opt_replyend - opt_reply + elen; ! olen = opt_replyp - opt_reply; opt_reply = (unsigned char *)realloc(opt_reply, len); if (opt_reply == NULL) { /*@*/ printf("env_opt_add: realloc() failed!!!\n"); opt_reply = opt_replyp = opt_replyend = NULL; return; } ! opt_replyp = opt_reply + olen; opt_replyend = opt_reply + len; } if (opt_welldefined((char *) ep))
It's a dupe from bug 83596
rphillips, please attach an updated ebuild to this bug. Do not commit anything yet.
vapier/solar could you look into this?
New public bug opened #87145. Keeping this restricted at the request of MIT.
*** This bug has been marked as a duplicate of 87145 ***