{"vuid":"VU#291924","idnumber":"291924","name":"Multiple Telnet clients fail to properly handle the \"LINEMODE\" SLC suboption","keywords":["Telnet clients","buffer overflow","LINEMODE","slc_add_reply()"],"overview":"Multiple Telnet clients contain a data length validation flaw which may allow a server to induce arbitrary code execution on the client host.","clean_desc":"The Telnet network protocol is described in RFC854 and RFC855 as a general, bi-directional communications facility. The Telnet protocol is commonly used for command line login sessions between Internet hosts. Many Telnet client implementations may be vulnerable to a flaw which may allow arbitrary code to be executed on the connected client. The Telnet server may supply a specially crafted reply containing a larger number of RFC1184 LINEMODE \"Set Local Character\" (SLC) suboption commands, which are not checked for proper length before being stored into a fixed length buffer. Affected Telnet clients possibly include the BSD Telnet implementation and the MIT Kerberos distribution. The Telnet LINEMODE mode is enabled by default in a majority of modern Telnet clients and servers, and is often negotiated automatically before user input is required. Therefore, an attacker may be able to launch a vulnerable client, for example, through commands embedded in web pages such as an IFRAME with a \"telnet:\" URL, and exploit this flaw requiring only minimal or no user interaction.","impact":"A remote server may be able to execute arbitrary code under the permissions of the user running the Telnet client on the local host.","resolution":"Apply an update from your vendor\nPatches, updates, and fixes are available from multiple vendors.","workarounds":"As a workaround, the client may explicitly disable the LINEMODE mode before connecting in order to prevent LINEMODE command processing. In addition, as a best practice clients should never connect to unknown servers.","sysaffected":"","thanks":"Thanks to iDEFENSE Labs for reporting this vulnerability.","author":"This document was written by Ken MacInnis.","public":["http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities","https://rhn.redhat.com/errata/RHSA-2005-327.html","http://secunia.com/advisories/14745/","http://web.mit.edu/kerberos/www/...s/MITKRB5-SA-2005-001-telnet.txt","http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1","http://www.auscert.org.au/5134"],"cveids":["CVE-2005-0469"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-03-28T20:41:17Z","publicdate":"2005-03-28T00:00:00Z","datefirstpublished":"2005-03-29T22:01:42Z","dateupdated":"2005-12-22T21:22:38Z","revision":29,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"12","cam_impact":"14","cam_easeofexploitation":"10","cam_attackeraccessrequired":"16","cam_scorecurrent":"12.6","cam_scorecurrentwidelyknown":"15.12","cam_scorecurrentwidelyknownexploited":"25.2","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":12.6,"vulnote":null}