Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» NetBSD » MIT Kerberos 5 remote code execution

MIT Kerberos 5 remote code execution

The telnet client program in NetBSD, supporting MIT Kerberos 5 authentication, contains several buffer overflows that can be triggered when connecting to a malicious telnet server. When exploited, these overflows can lead to remote code execution.

  • Vendor: NetBSD
  • Vendor ID: 2005-004
  • Date: November 08, 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


NetBSD Security Advisory 2005-004
=================================

Topic: Buffer overflows in MIT Kerberos 5 telnet client

Version: NetBSD-current: source prior to April 1, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected

Severity: Remote code execution if connected to malicious server

Fixed: NetBSD-current: April 1, 2005
NetBSD-3 branch: April 8, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: April 8, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: April 8, 2005
(2.1 includes the fix)
NetBSD-1.6 branch: April 8, 2005


Abstract
========

The telnet client program in NetBSD, supporting MIT Kerberos 5
authentication, contains several buffer overflows that can be triggered
when connecting to a malicious telnet server. When exploited, these
overflows can lead to remote code execution.


Technical Details
=================

The slc_add_reply() and env_opt_add() functions in telnet.c perform
inadequate length checking. slc_add_reply() may overflow a fixed-size
data segment or BSS buffer when receiving a maliciously crafted telnet
LINEMODE suboption string. env_opt_add() may overflow a heap buffer when
receiving a maliciously crafted telnet NEW-ENVIRON suboption string.

Both overflows may lead to arbitrary code execution.

CVE: CAN-2005-0468 and CAN-2005-0469


Solutions and Workarounds
=========================

There is no workaround to this problem.

It is recommended that all NetBSD users of affected versions upgrade
their telnet binaries to a non-vulnerable version.

The following instructions describe how to upgrade your telnet
binaries by updating your source tree and rebuilding and
installing a new version of telnet.


* NetBSD-current:

Systems running NetBSD-current dated from before 2005-03-29
should be upgraded to NetBSD-current dated 2005-04-01 or later.

The following files need to be updated from the netbsd-current CVS
branch (aka HEAD):
usr.bin/telnet/telnet.c

To update from CVS, re-build, and re-install telnet:
# cd src
# cvs update -d -P usr.bin/telnet/telnet.c
# cd usr.bin/telnet

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


* NetBSD 2.0:

The binary distribution of NetBSD 2.0 is vulnerable.

NetBSD 2.1 includes the fix.

Systems running NetBSD 2.0 sources dated from before
2005-04-08 should be upgraded from NetBSD 2.0 sources dated
2005-04-09 or later.

The following files need to be updated from the
netbsd-2-0 CVS branch:
usr.bin/telnet/telnet.c

To update from CVS, re-build, and re-install telnet:

# cd src
# cvs update -d -P -r netbsd-2-0 usr.bin/telnet/telnet.c
# cd usr.bin/telnet

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


* NetBSD 1.6, 1.6.1, 1.6.2:

The binary distributions of NetBSD 1.6, 1.6.1, and 1.6.2 are vulnerable.

Systems running NetBSD 1.6 sources dated from before
2005-04-08 should be upgraded from NetBSD 1.6 sources dated
2005-04-09 or later.

NetBSD 1.6.3 will include the fix.

The following files need to be updated from the
netbsd-1-6 CVS branch:
usr.bin/telnet/telnet.c

To update from CVS, re-build, and re-install telnet:

# cd src
# cvs update -d -P -r netbsd-1-6 usr.bin/telnet/telnet.c
# cd usr.bin/telnet

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


Thanks To
=========

iDEFENSE for researching this vulnerability.

MIT for alerting us about this vulnerability and providing a fix.


Revision History
================

2005-10-31 Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-004.txt,v 1.13 2005/10/31 06:36:35 gendalia Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKUz5Ru2/4N2IFAQLEjQP+K/9/7qknJL6CXC0Y475wpLGzRfdQFZgn
7LX/2AfkvjWf/S4lNCJwjPFp5t2OT4b92ejAvoHTjsuBVAZXMubxk2+WPETykG6p
1UW9IujiLa/MTEYm8xTukmKA2RL+2E7Jf2n5dR0g9BM/+UZHprKgTV19SCAXzS6n
874WryZNtxE=
=iXJ4
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »