| VID |
14003 |
| Severity |
40 |
| Port |
23 |
| Protocol |
TCP |
| Class |
TELNET |
| Detailed Description |
The Telnet server closes connection when it receives a long sequence of AYT ('Are You There') commands. This probably means it overflows one of its internal buffers and crashes. It is likely an attacker could abuse this bug to gain control over the server's root user.
This vulnerability exists in telnet daemons derived from the BSD telnet daemon. Under certain circumstances, the buffer overflow can occur when a combination of telnet protocol options, especially the 'AYT' (Are You There) option, are received by the daemon. The function responsible for processing the option prepares a response within a fixed sized buffer, without performing any bounds checking. If done properly this may result in arbitrary code getting executed on the remote machine under the priviledges the telnet daemon runs on, usually root.
* Platforms Affected:
Systems running versions of telnetd derived from BSD source
Apple MacOS X 10.0
BSDI 4.x default
Cisco applications running on a unpatched Sun Solaris OS
OpenBSD 2.x
FreeBSD [2345].x default
NetBSD 1.x default
Hewlett-Packard's HP-UX 10.x
IBM AIX versions 4.3 and earlier and 5.1
IRIX 6.5.x
Sun Solaris 8 and earlier
SCO OpenServer 5.0.6a and earlier
Linux netkit-telnetd < 0.14
* References:
http://www.securityfocus.com/bid/3064
http://www.iss.net/security_center/static/6875.php |
| Recommendation |
Apply the appropriate patch for your system, as listed in CERT Advisory CA-2001-21, http://www.cert.org/advisories/CA-2001-21.html |
| Related URL |
CVE-2001-0554 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
