Buffer overflow in the Telnet protocol could yield control of Unix systems to an attacker.
Several high-profile distributors of the BSD version of the Telnet protocol have rolled out patches for a critical bug that could cause system-hijack attacks.
The bug, which was reported by iDefense Inc., is a remotely exploitable buffer overflow
that could allow the execution of arbitrary code with user privileges.
A successful attacker would have to convince the user to launch a Telnet session with a malicious server. A malicious Web page could be designed that could launch the Telnet client on the users system by clicking a link, or, using the IFRAME tag, by loading the page.
Telnet is a protocol that supports virtual terminal sessions across IP networks including the Internet. The Telnet client program provides the interface for the terminal session to the user.
Click here to read about IBMs low-end Unix play.
The vulnerability exists in the main Telnet client program distributed by large numbers of vendors, including MITs Kerberos network authentication system.
It is possible for data of a particular size and nature to overflow a fixed-size buffer.
Advisories and patches have been issued by OpenBSD, MIT, Apple, FreeBSD and many Linux distributions through their inclusion of Kerberos.
Read more here about Unix-related warnings from iDefense.
iDefense states that it is unaware of any workarounds for the problem. While no active exploits are known, a simple proof of concept is available.
The following vendors have issued patches and workarounds:
MIT (Kerberos): http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
Red Hat: http://rhn.redhat.com/errata/RHSA-2005-330.html
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.