{"vuid":"VU#220816","idnumber":"220816","name":"MIT Kerberos 5 telnet daemon allows login as arbitrary user","keywords":["MIT","Kerberos 5","privilege escalation","remote","root"],"overview":"A vulnerability exists in the version of the telnet daemon included with the MIT Kerberos 5 distribution that may allow a remote, unauthorized attacker to log on to the system with elevated privileges.","clean_desc":"A vulnerability exists version of the telnet daemon included with the MIT Kerberos 5 distribution that may allow a remote, unauthenticated user to login as any valid user, including root. According to MIT krb5 Security Advisory MITKRB5-SA-2007-001: The MIT krb5 telnet daemon fails to adequately check the provided username. A malformed username beginning with \"-e\" can be interpreted as a command-line flag by the login.krb5 program, which is executed by telnetd. This causes login.krb5 to execute part of the BSD rlogin protocol, where an arbitrary username may be injected, allowing login as that user without a password or any further authentication. Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.","impact":"A remote attacker could log on to a vulnerable system via telnet with elevated privileges. This impact is limited to authenticated users if the telnet daemon is configured to only allow authenticated login.","resolution":"Apply Patch\nA patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-001. MIT also states that this will be addressed in the upcoming krb5-1.6.1 release.","workarounds":"","sysaffected":"","thanks":"This issue was reported in MIT krb5 Security Advisory \nMITKRB5-SA-2007-001","author":"This document was written by Chris Taschner.","public":["http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt","http://secunia.com/advisories/24757/","http://secunia.com/advisories/24735/","http://secunia.com/advisories/24750/","http://secunia.com/advisories/24740/","http://secunia.com/advisories/24755/","http://securitytracker.com/alerts/2007/Apr/1017848.html"],"cveids":["CVE-2007-0956"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2007-03-21T11:44:30Z","publicdate":"2007-04-03T00:00:00Z","datefirstpublished":"2007-04-03T21:25:11Z","dateupdated":"2007-05-16T19:23:49Z","revision":38,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"4","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"10","cam_impact":"20","cam_easeofexploitation":"14","cam_attackeraccessrequired":"20","cam_scorecurrent":"17.85","cam_scorecurrentwidelyknown":"38.85","cam_scorecurrentwidelyknownexploited":"59.85","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":17.85,"vulnote":null}