Telnetd Encryption Key ID Code Execution

2012-02-11T00:00:00
ID SAINT:2E667FA9EE1CC48C054B8BF1D1337065
Type saint
Reporter SAINT Corporation
Modified 2012-02-11T00:00:00

Description

Added: 02/11/2012
CVE: CVE-2011-4862
BID: 51182
OSVDB: 78020

Background

Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection.

Problem

The flaw is caused due to a boundary error within the "encrypt_keyid()" function (libtelnet/encrypt.c). This can be exploited to cause a buffer overflow via a long encryption key.

Resolution

Apply the vendor supplied patch for the target system or update FreeBSD/krb5.

References

<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt>
<http://thexploit.com/secdev/a-textbook-buffer-overflow-a-look-at-the-freebsd-telnetd-code/>

Limitations

This exploit has been tested against telnetd on FreeBSD 8.0, FreeBSD 8.2, NetBSD 5.1 and Debian 6.0.2 Heimdal Server 1.5.

Platforms

FreeBSD 8.0
FreeBSD 8.1
FreeBSD 8.2
NetBSD 5.1
Linux / Debian