首页 -> 安全研究
安全研究
安全漏洞
多个Telnet客户端slc_add_reply()缓冲区溢出漏洞
发布日期:2005-03-29
更新日期:2005-03-29
受影响系统:
Apple MacOS X Server 10.3.8描述:
Apple MacOS X 10.3.8
FreeBSD FreeBSD 5.4-RELEASE之前版本
MIT Kerberos 5 1.4
Netkit Linux Netkit 0.17.17
RedHat Linux WS 4
RedHat Linux WS 3
RedHat Linux ES 4
RedHat Linux ES 3
RedHat Linux Enterprise Linux WS 2.1
RedHat Linux Enterprise Linux ES 2.1
RedHat Linux Enterprise Linux AS 3
RedHat Linux Desktop 4
RedHat Linux Desktop 3
RedHat Linux AS 4
RedHat Linux AS (Advanced Server) 2.1
RedHat Linux Advanced Workstation 2.1
Sun Solaris 9.0
Sun Solaris 8.0
Sun Solaris 7.0
Sun Solaris 10
ALT Linux Junior 2.3
ALT Linux Compact 2.3
Openwall Owl
BUGTRAQ ID: 12918
CVE(CAN) ID: CVE-2005-0469
TELNET协议允许通过Internet连接到虚拟网络终端上。
多个TELNET协议客户端的实现在处理telnet子协商选项时存在缓冲区溢出漏洞,如果用户使用有漏洞的客户端程序连接访问恶意telnet服务器,可能导致在客户端机器上执行恶意指令。
漏洞存在于telnet.c的slc_add_reply()函数中,此函数负责向一个长为128字节静态缓冲区添加针对TELNET子协商选项SLC的回应数据,在增加数据时没有进行任何的边界检查。恶意TELNET服务器可能向客户端发送超多SLC子协商选项可以导致静态缓冲区溢出,覆盖其后的数据结构,在特定程序代码和编译选项下可能影响进程的执行流程而执行任意指令。
<*来源:Gael Delalleau
iDEFENSE Labs (labs@idefense.com)
链接:http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-101665-1
http://lwn.net/Alerts/129334/?format=printable
www.idefense.com/application/poi/display?id=220
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
*>
建议:
厂商补丁:
FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-05:01)以及相应补丁:
FreeBSD-SA-05:01:telnet client buffer overflows
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
执行以下步骤之一:
1)把受此漏洞影响的系统升级到更正日期后的4-STABLE或5-STABLE或RELENG_5_3, RELENG_5_2, RELENG_4_11, RELENG_4_10,或RELENG_4_8 。
2) 对系统进行补丁操作:
a)下载如下补丁程序:
[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch.asc
[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch.asc
b)进行补丁操作:
# cd /usr/src
# patch < /path/to/patch
c)按照如下方法重新编译内核:
http://www.freebsd.org/handbook/kernelconfig.html
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2005:327-01)以及相应补丁:
RHSA-2005:327-01:Important: telnet security update
链接:http://lwn.net/Alerts/129334/?format=printable
补丁下载:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm
i386:
9844ce440580371e21adb6e240f7ef32 telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c telnet-server-0.17-20.EL2.3.i386.rpm
ia64:
17e5e124770f7772cf0d4c4e24650b87 telnet-0.17-20.EL2.3.ia64.rpm
94149177b916123e92c80bf5412112fc telnet-server-0.17-20.EL2.3.ia64.rpm
Red Hat Linux Advanced Workstation 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm
ia64:
17e5e124770f7772cf0d4c4e24650b87 telnet-0.17-20.EL2.3.ia64.rpm
94149177b916123e92c80bf5412112fc telnet-server-0.17-20.EL2.3.ia64.rpm
Red Hat Enterprise Linux ES version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm
i386:
9844ce440580371e21adb6e240f7ef32 telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c telnet-server-0.17-20.EL2.3.i386.rpm
Red Hat Enterprise Linux WS version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm
i386:
9844ce440580371e21adb6e240f7ef32 telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c telnet-server-0.17-20.EL2.3.i386.rpm
Red Hat Enterprise Linux AS version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/telne...
9d246538ceb4ea06807737bf487bf29d telnet-0.17-26.EL3.2.src.rpm
i386:
a1edb03210ac63b30f6332a2e4227dc9 telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935 telnet-server-0.17-26.EL3.2.i386.rpm
ia64:
540dfa1463fb15b035371cb8815c8003 telnet-0.17-26.EL3.2.ia64.rpm
cf5ea891b305e4e150b31f012e5bd0b7 telnet-server-0.17-26.EL3.2.ia64.rpm
ppc:
004cd42520a5052fbbf6f150ebec5308 telnet-0.17-26.EL3.2.ppc.rpm
5246c393f0b38a64a47efc8b091d3cc3 telnet-server-0.17-26.EL3.2.ppc.rpm
s390:
feb70dd0f45a9e08d5d49fcb773924f2 telnet-0.17-26.EL3.2.s390.rpm
9290204b8e84f96b024ffe98da834174 telnet-server-0.17-26.EL3.2.s390.rpm
s390x:
8d7419651888f9943e82918b73c84b09 telnet-0.17-26.EL3.2.s390x.rpm
6dc6d17c2086c6756a74e9e48552b634 telnet-server-0.17-26.EL3.2.s390x.rpm
x86_64:
7d226b52aae9119e23645d3243bd821c telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204 telnet-server-0.17-26.EL3.2.x86_64.rpm
Red Hat Desktop version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/...
9d246538ceb4ea06807737bf487bf29d telnet-0.17-26.EL3.2.src.rpm
i386:
a1edb03210ac63b30f6332a2e4227dc9 telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935 telnet-server-0.17-26.EL3.2.i386.rpm
x86_64:
7d226b52aae9119e23645d3243bd821c telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204 telnet-server-0.17-26.EL3.2.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/telne...
9d246538ceb4ea06807737bf487bf29d telnet-0.17-26.EL3.2.src.rpm
i386:
a1edb03210ac63b30f6332a2e4227dc9 telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935 telnet-server-0.17-26.EL3.2.i386.rpm
ia64:
540dfa1463fb15b035371cb8815c8003 telnet-0.17-26.EL3.2.ia64.rpm
cf5ea891b305e4e150b31f012e5bd0b7 telnet-server-0.17-26.EL3.2.ia64.rpm
x86_64:
7d226b52aae9119e23645d3243bd821c telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204 telnet-server-0.17-26.EL3.2.x86_64.rpm
Red Hat Enterprise Linux WS version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/telne...
9d246538ceb4ea06807737bf487bf29d telnet-0.17-26.EL3.2.src.rpm
i386:
a1edb03210ac63b30f6332a2e4227dc9 telnet-0.17-26.EL3.2.i386.rpm
6eea6c08ea68f1ea8a177c63016e9935 telnet-server-0.17-26.EL3.2.i386.rpm
ia64:
540dfa1463fb15b035371cb8815c8003 telnet-0.17-26.EL3.2.ia64.rpm
cf5ea891b305e4e150b31f012e5bd0b7 telnet-server-0.17-26.EL3.2.ia64.rpm
x86_64:
7d226b52aae9119e23645d3243bd821c telnet-0.17-26.EL3.2.x86_64.rpm
d48f86ee42581c351d565aa78d373204 telnet-server-0.17-26.EL3.2.x86_64.rpm
Red Hat Enterprise Linux AS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/telne...
a3faf4a95d925197b7ec88861a272f68 telnet-0.17-31.EL4.2.src.rpm
i386:
c03d8fbd5c1a1dfd334263e034626bef telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9 telnet-server-0.17-31.EL4.2.i386.rpm
ia64:
c1eaa58f26e47c3c8370ff2189b78b81 telnet-0.17-31.EL4.2.ia64.rpm
3e47cc360ea07b28c16da6fdfb88c39e telnet-server-0.17-31.EL4.2.ia64.rpm
ppc:
22fc96070dc40b3686d23b62f213069c telnet-0.17-31.EL4.2.ppc.rpm
53e773d2752608b0414a8fd0e449c694 telnet-server-0.17-31.EL4.2.ppc.rpm
s390:
8336b046ae91cc296a949ce840858489 telnet-0.17-31.EL4.2.s390.rpm
62fa5b57339984f7903c8c6828cf3907 telnet-server-0.17-31.EL4.2.s390.rpm
s390x:
a9687c4c60aa7ce447b322ad15e491e1 telnet-0.17-31.EL4.2.s390x.rpm
624150f3b2bb179af14f89333549baf8 telnet-server-0.17-31.EL4.2.s390x.rpm
x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4 telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2 telnet-server-0.17-31.EL4.2.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/...
a3faf4a95d925197b7ec88861a272f68 telnet-0.17-31.EL4.2.src.rpm
i386:
c03d8fbd5c1a1dfd334263e034626bef telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9 telnet-server-0.17-31.EL4.2.i386.rpm
x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4 telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2 telnet-server-0.17-31.EL4.2.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/telne...
a3faf4a95d925197b7ec88861a272f68 telnet-0.17-31.EL4.2.src.rpm
i386:
c03d8fbd5c1a1dfd334263e034626bef telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9 telnet-server-0.17-31.EL4.2.i386.rpm
ia64:
c1eaa58f26e47c3c8370ff2189b78b81 telnet-0.17-31.EL4.2.ia64.rpm
3e47cc360ea07b28c16da6fdfb88c39e telnet-server-0.17-31.EL4.2.ia64.rpm
x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4 telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2 telnet-server-0.17-31.EL4.2.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/telne...
a3faf4a95d925197b7ec88861a272f68 telnet-0.17-31.EL4.2.src.rpm
i386:
c03d8fbd5c1a1dfd334263e034626bef telnet-0.17-31.EL4.2.i386.rpm
095477b3fd6797a4dcb71eaa6fe40fb9 telnet-server-0.17-31.EL4.2.i386.rpm
ia64:
c1eaa58f26e47c3c8370ff2189b78b81 telnet-0.17-31.EL4.2.ia64.rpm
3e47cc360ea07b28c16da6fdfb88c39e telnet-server-0.17-31.EL4.2.ia64.rpm
x86_64:
ba9038dbfdedbf0d064c6b2be18f10e4 telnet-0.17-31.EL4.2.x86_64.rpm
42fc60c48cacc2d40798fc33681bfcd2 telnet-server-0.17-31.EL4.2.x86_64.rpm
Sun
---
Sun已经为此发布了一个安全公告(Sun-Alert-57755)以及相应补丁:
Sun-Alert-57755:Buffer Overflow in telnet(1) Client Software
链接:http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57755-1
用如下方法暂时禁止telnet程序执行权限:
# chmod 000 /usr/bin/telnet
浏览次数:4875
严重程度:0(网友投票)
绿盟科技给您安全的保障