{"vuid":"VU#341908","idnumber":"341908","name":"Multiple Telnet Clients vulnerable to buffer overflow via the env_opt_add() function in telnet.c","keywords":["Telnet Clients","buffer overflow","env_opt_add()","telnet.c"],"overview":"Multiple Telnet clients contain a data length validation flaw that may allow a malicious server to execute arbitrary code on the client host with privs of client.","clean_desc":"The Telnet network protocol is described in RFC854 and RFC855 as a general, bi-directional communications facility. The Telnet protocol is commonly used for command-line login sessions between Internet hosts. Many Telnet clients are vulnerable to a buffer overflow condition. The env_opt_add() function of telnet.c contains a 256-byte buffer that may be expanded to 512 bytes if needed. While checks are in place to ensure that the input buffer for this function is within the size allocated, the Telnet protocol may escape characters contained in the input buffer. If the number of characters escaped causes the resulting input to exceed the 512 byte allocated buffer, a heap overflow occurs. Several Telnet clients derived from a variety of lineages are confirmed to be affected. Please review the \"Systems Affected\" section below, or consult with your vendor to determine if you are affected.","impact":"Exploitation of this vulnerability may permit a malicious server to execute arbitrary code with the privileges of the user that invoked the telnet client. An attacker would have to trick a victim into initiating a telnet connection using a vulnerable client. This may be accomplished with an HTML rendered email or web page, using the TELNET:// URI handler, however further user interaction may be required.","resolution":"Apply a patch or upgrade as specified by your vendor.","workarounds":"","sysaffected":"","thanks":"Thanks to  iDEFENSE Labs for reporting this vulnerability.","author":"This document was written by Robert Mead and Jason Rafail, and is based on information in iDefense's advisory.","public":["http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities","http://secunia.com/advisories/14745/","http://web.mit.edu/kerberos/www/...s/MITKRB5-SA-2005-001-telnet.txt","http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1","http://www.auscert.org.au/5134"],"cveids":["CVE-2005-0468"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-03-28T21:30:18Z","publicdate":"2005-03-28T00:00:00Z","datefirstpublished":"2005-04-01T21:43:52Z","dateupdated":"2005-07-28T21:01:08Z","revision":33,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"16","cam_exploitation":"0","cam_internetinfrastructure":"13","cam_population":"17","cam_impact":"15","cam_easeofexploitation":"12","cam_attackeraccessrequired":"18","cam_scorecurrent":"29.94975","cam_scorecurrentwidelyknown":"34.08075","cam_scorecurrentwidelyknownexploited":"54.73575","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":29.94975,"vulnote":null}