ID

VAR-200505-0162

CVE

CVE-2005-0468

TITLE

OpenSSL may fail to properly parse invalid ASN.1 structures

DESCRIPTION

Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated. A flaw in the OpenSSL library could allow a remote attacker to cause a denial of service on an affected application. A buffer overflow in certain Apple AirPort drivers may allow an attacker to execute arbitrary code with system privileges, or create a denial-of-service condition. Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures. Included with many products telnet Clients env_opt_add() There is a vulnerability that causes a buffer overflow when certain input data including escape characters is processed due to improper bounds checking in the function.Configured by a third party telnet Guided or crafted the target user to log in to the server Web By displaying the page, arbitrary code may be executed with the user's authority. Multiple vendors' Telnet client applications are reported prone to a remote buffer-overflow vulnerability. This vulnerability reportedly occurs in the 'env_opt_add()' function in the 'telnet.c' source file, which is apparently common source for all the affected vendors. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Apple Airport Probe Response Kernel Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA22679 VERIFY ADVISORY: http://secunia.com/advisories/22679/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: H.D. Moore has reported a vulnerability in the Apple Airport driver, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the Airport driver provided with Orinoco-based Airport cards when handling probe response frames. This can be exploited to overwrite kernel memory and potentially execute arbitrary code when the driver is running in active scanning mode. The vulnerability is reported in the driver on a PowerBook running version 10.4.8. SOLUTION: Do not place the card into active scanning mode. PROVIDED AND/OR DISCOVERED BY: H D Moore ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-01-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-crypt/mit-krb5 < 1.3.6-r2 >= 1.3.6-r2 Description =========== A buffer overflow has been identified in the env_opt_add() function, where a response requiring excessive escaping can cause a heap-based buffer overflow. Workaround ========== There is no known workaround at this time. Resolution ========== All mit-krb5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.3.6-r2" References ========== [ 1 ] CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 [ 2 ] CAN-2005-0469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 [ 3 ] MITKRB5-SA-2005-001 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-001-telnet.txt Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200504-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : telnet client multiple issues Advisory number: SCOSA-2005.21 Issue date: 2005 April 08 Cross reference: sr893210 fz531446 erg712801 CAN-2005-0469 CAN-2005-0468 ______________________________________________________________________________ 1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0469 to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0468 to this issue. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.4 /usr/bin/telnet UnixWare 7.1.3 /usr/bin/telnet UnixWare 7.1.1 /usr/bin/telnet 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.4 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21 4.2 Verification MD5 (erg712801.714.pkg.Z) = bf53673ea12a1c25e3606a5b879adbc4 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712801.714.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712801.714.pkg.Z # pkgadd -d /var/spool/pkg/erg712801.714.pkg 5. UnixWare 7.1.3 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21 5.2 Verification MD5 (erg712801.713.pkg.Z) = e876b261afbecb41c18c26d6ec11e71d md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712801.713.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712801.713.pkg.Z # pkgadd -d /var/spool/pkg/erg712801.713.pkg 6. UnixWare 7.1.1 6.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21 6.2 Verification MD5 (erg712801.711.pkg.Z) = f3099416a793c1f731bc7e377fe0e4a2 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 6.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712801.711.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712801.711.pkg.Z # pkgadd -d /var/spool/pkg/erg712801.711.pkg 7. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr893210 fz531446 erg712801. 8. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 9. Acknowledgments SCO would like to thank Gal Delalleau and iDEFENSE ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (SCO/SYSV) iD8DBQFCVtn4aqoBO7ipriERAkZbAJ9qiuR3M89tJWzyJ3K7Q5NbBRTvMgCfdeFY JmJIo8zz/ppyCI4EQ5UY9jA= =8sOq -----END PGP SIGNATURE----- . Additional user interaction may not be required if the attacker can get the user to view HTML containing an IFRAME tag containing a "telnet:" URL pointing to a malicious server. AFFECTED SOFTWARE ================= * telnet client programs included with the MIT Kerberos 5 implementation, up to and including release krb5-1.4. * Other telnet client programs derived from the BSD telnet implementation may be vulnerable. FIXES ===== * WORKAROUND: Disable handling of "telnet:" URLs in web browsers, email readers, etc., or remove execute permissions from the telnet client program. * The upcoming krb5-1.4.1 patch release will contain fixes for this problem. * Apply the patch found at: http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc The patch was generated against the krb5-1.4 release. It may apply against earlier releases with some offset. REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html [IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities CVE: CAN-2005-0469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 [IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities CVE: CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 ACKNOWLEDGMENTS =============== Thanks to iDEFENSE for notifying us of these vulnerabilities, and for providing useful feedback. DETAILS ======= The slc_add_reply() function in telnet.c performs inadequate length checking. The env_opt_add() function in telnet.c performs inadequate length checking

AFFECTED PRODUCTS