Unix Authors Rush to Patch Telnet Flaw

By Larry Seltzer  |  Posted 2005-03-31 Print this article Print

Buffer overflow in the Telnet protocol could yield control of Unix systems to an attacker.

Several high-profile distributors of the BSD version of the Telnet protocol have rolled out patches for a critical bug that could cause system-hijack attacks. The bug, which was reported by iDefense Inc., is a remotely exploitable buffer overflow that could allow the execution of arbitrary code with user privileges. A successful attacker would have to convince the user to launch a Telnet session with a malicious server. A malicious Web page could be designed that could launch the Telnet client on the users system by clicking a link, or, using the IFRAME tag, by loading the page.

Telnet is a protocol that supports virtual terminal sessions across IP networks including the Internet. The Telnet client program provides the interface for the terminal session to the user.
Click here to read about IBMs low-end Unix play. The vulnerability exists in the main Telnet client program distributed by large numbers of vendors, including MITs Kerberos network authentication system. It is possible for data of a particular size and nature to overflow a fixed-size buffer.

Advisories and patches have been issued by OpenBSD, MIT, Apple, FreeBSD and many Linux distributions through their inclusion of Kerberos.

Read more here about Unix-related warnings from iDefense. iDefense states that it is unaware of any workarounds for the problem. While no active exploits are known, a simple proof of concept is available.

The following vendors have issued patches and workarounds:
  • Apple: http://docs.info.apple.com/article.html?artnum=61798
  • FreeBSD: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
  • MIT (Kerberos): http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
  • Red Hat: http://rhn.redhat.com/errata/RHSA-2005-330.html
  • Sun: http://sunsolve.sun.com Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
    Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

    He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

    For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

    In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

    Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel