Note: This is an archival copy of Security Sun Alert 200885 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000673.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
There is a buffer overflow in the unprivileged telnet(1) utility. This is not a security vulnerability on its own. However, telnet(1) communicates with another host using the TELNET protocol and thus there is a small risk of a remote user successfully exploiting the overflow.
If a remote unprivileged user is able to cause a user to execute the telnet(1) utility on their client system, then that remote user may be able to execute arbitrary commands on the client system with the privileges of the user who executed telnet(1). The remote user may also be able to read the values of arbitrary shell environment variables of the user who executed telnet(1).
Sun acknowledges with thanks, iDEFENSE (http://www.idefense.com), for bringing these issues to our attention. These issues are also referenced in the following iDEFENSE documents:
IDEF0865 - Multiple Vendor Telnet Client Information Disclosure Vulnerability at http://www.idefense.com/application/poi/display?id=260
IDEF0866 - Multiple Telnet Client slc_add_reply() Buffer Overflow at http://www.idefense.com/application/poi/display?id=220
IDEF0867 - Multiple Telnet Client env_opt_add() Buffer Overflow at http://www.idefense.com/application/poi/display?id=221
These issues are also described in the following CAN documents:
CAN-2005-0468 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
CAN-2005-0469 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
CAN-2005-0488 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488
These issues are also described in the following CERT Vulnerability Notes:
VU#291924 at http://www.kb.cert.org/vuls/id/291924
VU#341908 at http://www.kb.cert.org/vuls/id/341908
VU#800829 at http://www.kb.cert.org/vuls/id/800829
These issues can occur in the following releases:
There are no predictable symptoms that would indicate the described issues have been exploited.
To work around the described issues until patches can be installed, sites may consider removing the execute permissions from the Solaris telnet(1) utility. To accomplish this, the following command can be run (as "root"):
# chmod 000 /usr/bin/telnet
To restore the original permissions to the telnet(1) utility (after the patches have been applied) the following command can be run (as "root"):
# chmod 555 /usr/bin/telnet
These issues are resolved in the following releases:
This solution has no attachment