97103 – net-misc/netkit-telnetd information disclosure (CAN-2005-0488)

Bug 97103 - net-misc/netkit-telnetd information disclosure (CAN-2005-0488)

Summary: net-misc/netkit-telnetd information disclosure (CAN-2005-0488)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Other

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.idefense.com/application/p...
Whiteboard:	B4 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2005-06-26 03:54 UTC by Thierry Carrez (RETIRED)
Modified:	2005-06-30 09:03 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-06-26 03:54:40 UTC

netkit-telnetd /might/ be affected, apparently there is no Debian patchset for this (small) vulnerability yet :

=============
Multiple Vendor Telnet Client Information Disclosure Vulnerability

iDEFENSE Security Advisory 06.14.05
www.idefense.com/application/poi/display?id=260&type=vulnerabilities
June 14, 2005

I. BACKGROUND

The TELNET protocol allows virtual network terminals to be connected to 
over the internet. The initial description of the telnet protocol was 
given in RFC854 in May 1983. Since then there have been many extra 
features added including encryption. 

II. DESCRIPTION

Remote exploitation of an input validation error in multiple telnet 
clients could allow an attacker to gain sensitive information about the 
victim's system.

The vulnerability specifically exists in the handling of the NEW-ENVIRON 
command.

In order to exploit this vulnerability, a malicious server can send a 
connected client the following telnet command:

SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE

Vulnerable telnet clients will send the contents of the reference 
environment variable, which may contain information useful to an 
attacker. The expected behavior would be only to send environment 
variables related directly to the operation of the telnet client (for 
example, TERM), or those specifically allowed by the user.
=============================

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-06-26 03:56:57 UTC

solar: could you have a look and confirm that we are indeed affected ? Maybe the
Debian patchset already includes the old RH patch...

Comment 2 solar (RETIRED) gentoo-dev

2005-06-26 20:38:27 UTC

I expect to be a little busy most of the week. If anybody else can take a peek
that would be great.

Being that we base our netkit on debs package and Ubuntu is based on deb we are
probably ok. But I can't confirm right away.

- Ubuntu
Ubuntu supports and ships netkit-telnet, which has been patched to not
disclose arbitrary environment variables for a long time now. The krb5
version is also available in the archive, however, it is unsupported and
there will not be an official advisory for it. It will most likely be
fixed by the community.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-06-30 09:03:17 UTC

AFAICT the info disclosure already fixed in that package.