March 2005

ID: 00257
Ref: 236/2005
Date: 30 March 2005:14:00:47
Version: 1

---

Title: MIT Security Advisory: 2005-001 - krb5
Abstract: The telnet client program supplied with MIT Kerberos 5 has buffer overflows in the functions slc_add_reply() and env_opt_add(), which may lead to remote code execution.
Vendors affected: MIT
Operating systems affected: MIT
Applications affected: MIT

---

Title
=====

MIT Security Advisory: 2005-001 - krb5

Detail
======

The telnet client program supplied with MIT Kerberos 5 has buffer
overflows in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.




- -----BEGIN PGP SIGNED MESSAGE-----

MIT krb5 Security Advisory 2005-001

Original release: 2005-03-28

Topic: Buffer overflows in telnet client

Severity: serious

SUMMARY
=======

The telnet client program supplied with MIT Kerberos 5 has buffer
overflows in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.

IMPACT
======

An attacker controlling or impersonating a telnet server may execute
arbitrary code with the privileges of the user running the telnet
client. The attacker would need to convince the user to connect to a
malicious server, perhaps by automatically launching the client from a
web page. Additional user interaction may not be required if the
attacker can get the user to view HTML containing an IFRAME tag
containing a "telnet:" URL pointing to a malicious server.

AFFECTED SOFTWARE
=================

* telnet client programs included with the MIT Kerberos 5
implementation, up to and including release krb5-1.4.

* Other telnet client programs derived from the BSD telnet
implementation may be vulnerable.

FIXES
=====

* WORKAROUND: Disable handling of "telnet:" URLs in web browsers,
email readers, etc., or remove execute permissions from the telnet
client program.

* The upcoming krb5-1.4.1 patch release will contain fixes for this
problem.

* Apply the patch found at:

http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc

The patch was generated against the krb5-1.4 release. It may apply
against earlier releases with some offset.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities

CVE: CAN-2005-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

[IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities

CVE: CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

ACKNOWLEDGMENTS
===============

Thanks to iDEFENSE for notifying us of these vulnerabilities, and for
providing useful feedback.

DETAILS
=======

The slc_add_reply() function in telnet.c performs inadequate length
checking. By sending a carefully crafted telnet LINEMODE suboption
string, a malicious telnet server may cause a telnet client to
overflow a fixed-size data segment or BSS buffer and execute arbitrary
code.

The env_opt_add() function in telnet.c performs inadequate length
checking. By sending a carefully crafted telnet NEW-ENVIRON suboption
string, a malicious telnet server may cause a telnet client to
overflow a heap buffer and execute arbitrary code.

REVISION HISTORY
================

2005-03-28 original release

Copyright (C) 2005 Massachusetts Institute of Technology
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQkiLWqbDgE/zdoE9AQFSsgQAua79YPzliPsWCnWTBWNkk9DZnME4RYNu
lmBkFlM2u/zaEAKQaml8QJ8k3TQ5WB0GztqSOEIWuG5ZahyOZQefrGCCHuD2JKFZ
g4q6PNM7dvbUCBB9HcR+GHlgr+01ofMjVuhhZ8Rj0icqCs5MojP5+0VSqr94w1zv
MS06L8DXn00=
=LT9x
- -----END PGP SIGNATURE-----