Telnetd Encryption Key ID Code Execution

Added: 02/11/2012
CVE: CVE-2011-4862
BID: 51182
OSVDB: 78020

Background

Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection.

Problem

The flaw is caused due to a boundary error within the "encrypt_keyid()" function (libtelnet/encrypt.c). This can be exploited to cause a buffer overflow via a long encryption key.

Resolution

Apply the vendor supplied patch for the target system or update FreeBSD/krb5.

References

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt
http://thexploit.com/secdev/a-textbook-buffer-overflow-a-look-at-the-freebsd-telnetd-code/

Limitations

This exploit has been tested against telnetd on FreeBSD 8.0, FreeBSD 8.2, NetBSD 5.1 and Debian 6.0.2 Heimdal Server 1.5.

Platforms

FreeBSD 8.0
FreeBSD 8.1
FreeBSD 8.2
NetBSD 5.1
Linux / Debian

Back to exploit index