多个Telnet客户端slc_add_reply()缓冲区溢出漏洞
发布日期:2005-03-29
更新日期:2005-03-29
受影响系统:
Apple MacOS X Server 10.3.8描述:
Apple MacOS X 10.3.8
FreeBSD FreeBSD 5.4-RELEASE之前版本
MIT Kerberos 5 1.4
Netkit Linux Netkit 0.17.17
RedHat Linux WS 4
RedHat Linux WS 3
RedHat Linux ES 4
RedHat Linux ES 3
RedHat Linux Enterprise Linux WS 2.1
RedHat Linux Enterprise Linux ES 2.1
RedHat Linux Enterprise Linux AS 3
RedHat Linux Desktop 4
RedHat Linux Desktop 3
RedHat Linux AS 4
RedHat Linux AS (Advanced Server) 2.1
RedHat Linux Advanced Workstation 2.1
Sun Solaris 9.0
Sun Solaris 8.0
Sun Solaris 7.0
Sun Solaris 10
ALT Linux Junior 2.3
ALT Linux Compact 2.3
Openwall Owl
BUGTRAQ ID: 12918
CVE(CAN) ID: CVE-2005-0469
TELNET协议允许通过Internet连接到虚拟网络终端上。
多个TELNET协议客户端的实现在处理telnet子协商选项时存在缓冲区溢出漏洞,如果用户使用有漏洞的客户端程序连接访问恶意telnet服务器,可能导致在客户端机器上执行恶意指令。
漏洞存在于telnet.c的slc_add_reply()函数中,此函数负责向一个长为128字节静态缓冲区添加针对TELNET子协商选项SLC的回应数据,在增加数据时没有进行任何的边界检查。恶意TELNET服务器可能向客户端发送超多SLC子协商选项可以导致静态缓冲区溢出,覆盖其后的数据结构,在特定程序代码和编译选项下可能影响进程的执行流程而执行任意指令。
<*来源:Gael Delalleau
iDEFENSE Labs (labs@idefense.com)
链接:http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-101665-1
http://lwn.net/Alerts/129334/?format=printable
www.idefense.com/application/poi/display?id=220
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
*>
建议:
厂商补丁:
FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-05:01)以及相应补丁:
FreeBSD-SA-05:01:telnet client buffer overflows
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
执行以下步骤之一:
1)把受此漏洞影响的系统升级到更正日期后的4-STABLE或5-STABLE或RELENG_5_3, RELENG_5_2, RELENG_4_11, RELENG_4_10,或RELENG_4_8 。
2) 对系统进行补丁操作:
a)下载如下补丁程序:
[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch.asc
[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch.asc
b)进行补丁操作:
# cd /usr/src
# patch < /path/to/patch
c)按照如下方法重新编译内核:
http://www.freebsd.org/handbook/kernelconfig.html
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2005:327-01)以及相应补丁:
RHSA-2005:327-01:Important: telnet security update
链接:http://lwn.net/Alerts/129334/?format=printable
补丁下载:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm
i386:
9844ce440580371e21adb6e240f7ef32 telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c telnet-server-0.17-20.EL2.3.i386.rpm
ia64:
17e5e124770f7772cf0d4c4e24650b87 telnet-0.17-20.EL2.3.ia64.rpm
94149177b916123e92c80bf5412112fc telnet-server-0.17-20.EL2.3.ia64.rpm
Red Hat Linux Advanced Workstation 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm
ia64:
17e5e124770f7772cf0d4c4e24650b87 telnet-0.17-20.EL2.3.ia64.rpm
94149177b916123e92c80bf5412112fc telnet-server-0.17-20.EL2.3.ia64.rpm
Red Hat Enterprise Linux ES version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm
i386:
9844ce440580371e21adb6e240f7ef32 telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c telnet-server-0.17-20.EL2.3.i386.rpm
Red Hat Enterprise Linux WS version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/tel...
417f308264da21ba52f490671078437d telnet-0.17-20.EL2.3.src.rpm
i386:
9844ce440580371e21adb6e240f7ef32 telnet-0.17-20.EL2.3.i386.rpm
6a8a735c26c81c10fd03d25ed001c89c telnet-server-0.17-20.EL2.3.i386.rpm
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
