首页 -> 安全研究

安全研究

安全漏洞
多个Telnet客户端env_opt_add()缓冲区溢出漏洞

发布日期:2005-03-29
更新日期:2005-03-29

受影响系统:
Apple MacOS X Server 10.3.8
Apple MacOS X 10.3.8
FreeBSD FreeBSD 5.4-RELEASE之前版本
MIT Kerberos 5 1.4
Netkit Linux Netkit 0.17.17
RedHat Linux WS 4
RedHat Linux WS 3
RedHat Linux ES 4
RedHat Linux ES 3
RedHat Linux Enterprise Linux WS 2.1
RedHat Linux Enterprise Linux ES 2.1
RedHat Linux Enterprise Linux AS 3
RedHat Linux Desktop 4
RedHat Linux Desktop 3
RedHat Linux AS 4
RedHat Linux AS (Advanced Server) 2.1
RedHat Linux Advanced Workstation 2.1
Sun Solaris 9.0
Sun Solaris 8.0
Sun Solaris 7.0
Sun Solaris 10
ALT Linux Junior 2.3
ALT Linux Compact 2.3
Openwall Owl
描述:
BUGTRAQ  ID: 12919
CVE(CAN) ID: CVE-2005-0468

TELNET协议是一种实现远程虚拟终端功能的网络协议,目前有多种telnet的服务器及客户端的实现。

多个TELNET协议客户端的实现在处理telnet NEW-ENVIRON子协商选项时存在缓冲区溢出漏洞,如果用户使用有漏洞的客户端程序连接访问恶意telnet服务器,可能导致在客户端机器上执行恶意指令。

漏洞存在于telnet.c的env_opt_add()函数中。在储存这个函数对网络输入的处理结果时,分配了一个256字节的固定大小缓冲区。由于telnet协议需要对某些控制字符进行转义,转义后的字符会从原来的一字节变成两字节,如果在输入数据中插入大量需要转义的字符,将导致堆缓冲区溢出。

<*来源:Gael Delalleau
        iDEFENSE Labs (labs@idefense.com
  
  链接:http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-101665-1
        http://lwn.net/Alerts/129334/?format=printable
        www.idefense.com/application/poi/display?id=221
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
*>

建议:
厂商补丁:

FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-05:01)以及相应补丁:
FreeBSD-SA-05:01:telnet client buffer overflows
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc

执行以下步骤之一:

1)把受此漏洞影响的系统升级到更正日期后的4-STABLE或5-STABLE或RELENG_5_3, RELENG_5_2, RELENG_4_11, RELENG_4_10,或RELENG_4_8 。

2) 对系统进行补丁操作:

a)下载如下补丁程序:

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch.asc

[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch.asc

b)进行补丁操作:

# cd /usr/src
# patch < /path/to/patch

c)按照如下方法重新编译内核:

http://www.freebsd.org/handbook/kernelconfig.html

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2005:327-01)以及相应补丁:
RHSA-2005:327-01:Important: telnet security update
链接:http://lwn.net/Alerts/129334/?format=printable

补丁下载:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d  telnet-0.17-20.EL2.3.src.rpm

i386:
9844ce440580371e21adb6e240f7ef32  telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c  telnet-server-0.17-20.EL2.3.i386.rpm

ia64:
17e5e124770f7772cf0d4c4e24650b87  telnet-0.17-20.EL2.3.ia64.rpm
94149177b916123e92c80bf5412112fc  telnet-server-0.17-20.EL2.3.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d  telnet-0.17-20.EL2.3.src.rpm

ia64:
17e5e124770f7772cf0d4c4e24650b87  telnet-0.17-20.EL2.3.ia64.rpm
94149177b916123e92c80bf5412112fc  telnet-server-0.17-20.EL2.3.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d  telnet-0.17-20.EL2.3.src.rpm

i386:
9844ce440580371e21adb6e240f7ef32  telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c  telnet-server-0.17-20.EL2.3.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d  telnet-0.17-20.EL2.3.src.rpm

i386:
9844ce440580371e21adb6e240f7ef32  telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c  telnet-server-0.17-20.EL2.3.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/telne...
9d246538ceb4ea06807737bf487bf29d  telnet-0.17-26.EL3.2.src.rpm

i386:
a1edb03210ac63b30f6332a2e4227dc9  telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935  telnet-server-0.17-26.EL3.2.i386.rpm

ia64:
540dfa1463fb15b035371cb8815c8003  telnet-0.17-26.EL3.2.ia64.rpm
cf5ea891b305e4e150b31f012e5bd0b7  telnet-server-0.17-26.EL3.2.ia64.rpm

ppc:
004cd42520a5052fbbf6f150ebec5308  telnet-0.17-26.EL3.2.ppc.rpm
5246c393f0b38a64a47efc8b091d3cc3  telnet-server-0.17-26.EL3.2.ppc.rpm

s390:
feb70dd0f45a9e08d5d49fcb773924f2  telnet-0.17-26.EL3.2.s390.rpm
9290204b8e84f96b024ffe98da834174  telnet-server-0.17-26.EL3.2.s390.rpm

s390x:
8d7419651888f9943e82918b73c84b09  telnet-0.17-26.EL3.2.s390x.rpm
6dc6d17c2086c6756a74e9e48552b634  telnet-server-0.17-26.EL3.2.s390x.rpm

x86_64:
7d226b52aae9119e23645d3243bd821c  telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204  telnet-server-0.17-26.EL3.2.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/...
9d246538ceb4ea06807737bf487bf29d  telnet-0.17-26.EL3.2.src.rpm

i386:
a1edb03210ac63b30f6332a2e4227dc9  telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935  telnet-server-0.17-26.EL3.2.i386.rpm

x86_64:
7d226b52aae9119e23645d3243bd821c  telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204  telnet-server-0.17-26.EL3.2.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/telne...
9d246538ceb4ea06807737bf487bf29d  telnet-0.17-26.EL3.2.src.rpm

i386:
a1edb03210ac63b30f6332a2e4227dc9  telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935  telnet-server-0.17-26.EL3.2.i386.rpm

ia64:
540dfa1463fb15b035371cb8815c8003  telnet-0.17-26.EL3.2.ia64.rpm
cf5ea891b305e4e150b31f012e5bd0b7  telnet-server-0.17-26.EL3.2.ia64.rpm

x86_64:
7d226b52aae9119e23645d3243bd821c  telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204  telnet-server-0.17-26.EL3.2.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/telne...
9d246538ceb4ea06807737bf487bf29d  telnet-0.17-26.EL3.2.src.rpm

i386:
a1edb03210ac63b30f6332a2e4227dc9  telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935  telnet-server-0.17-26.EL3.2.i386.rpm

ia64:
540dfa1463fb15b035371cb8815c8003  telnet-0.17-26.EL3.2.ia64.rpm
cf5ea891b305e4e150b31f012e5bd0b7  telnet-server-0.17-26.EL3.2.ia64.rpm

x86_64:
7d226b52aae9119e23645d3243bd821c  telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204  telnet-server-0.17-26.EL3.2.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/telne...
a3faf4a95d925197b7ec88861a272f68  telnet-0.17-31.EL4.2.src.rpm

i386:
c03d8fbd5c1a1dfd334263e034626bef  telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9  telnet-server-0.17-31.EL4.2.i386.rpm

ia64:
c1eaa58f26e47c3c8370ff2189b78b81  telnet-0.17-31.EL4.2.ia64.rpm
3e47cc360ea07b28c16da6fdfb88c39e  telnet-server-0.17-31.EL4.2.ia64.rpm

ppc:
22fc96070dc40b3686d23b62f213069c  telnet-0.17-31.EL4.2.ppc.rpm
53e773d2752608b0414a8fd0e449c694  telnet-server-0.17-31.EL4.2.ppc.rpm

s390:
8336b046ae91cc296a949ce840858489  telnet-0.17-31.EL4.2.s390.rpm
62fa5b57339984f7903c8c6828cf3907  telnet-server-0.17-31.EL4.2.s390.rpm

s390x:
a9687c4c60aa7ce447b322ad15e491e1  telnet-0.17-31.EL4.2.s390x.rpm
624150f3b2bb179af14f89333549baf8  telnet-server-0.17-31.EL4.2.s390x.rpm

x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4  telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2  telnet-server-0.17-31.EL4.2.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/...
a3faf4a95d925197b7ec88861a272f68  telnet-0.17-31.EL4.2.src.rpm

i386:
c03d8fbd5c1a1dfd334263e034626bef  telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9  telnet-server-0.17-31.EL4.2.i386.rpm

x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4  telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2  telnet-server-0.17-31.EL4.2.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/telne...
a3faf4a95d925197b7ec88861a272f68  telnet-0.17-31.EL4.2.src.rpm

i386:
c03d8fbd5c1a1dfd334263e034626bef  telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9  telnet-server-0.17-31.EL4.2.i386.rpm

ia64:
c1eaa58f26e47c3c8370ff2189b78b81  telnet-0.17-31.EL4.2.ia64.rpm
3e47cc360ea07b28c16da6fdfb88c39e  telnet-server-0.17-31.EL4.2.ia64.rpm

x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4  telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2  telnet-server-0.17-31.EL4.2.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/telne...
a3faf4a95d925197b7ec88861a272f68  telnet-0.17-31.EL4.2.src.rpm

i386:
c03d8fbd5c1a1dfd334263e034626bef  telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9  telnet-server-0.17-31.EL4.2.i386.rpm

ia64:
c1eaa58f26e47c3c8370ff2189b78b81  telnet-0.17-31.EL4.2.ia64.rpm
3e47cc360ea07b28c16da6fdfb88c39e  telnet-server-0.17-31.EL4.2.ia64.rpm

x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4  telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2  telnet-server-0.17-31.EL4.2.x86_64.rpm

Sun
---
Sun已经为此发布了一个安全公告(Sun-Alert-57755)以及相应补丁:
Sun-Alert-57755:Buffer Overflow in telnet(1) Client Software
链接:http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57755-1

用如下方法暂时禁止telnet程序执行权限:

# chmod 000 /usr/bin/telnet

浏览次数:11343
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客