CVE-2005-0468
published 2005-05-02CVE-2005-0468: Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
27.07%
97.8th percentile
Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | heimdal | < heimdal 0.6.3-11 (bookworm) | heimdal 0.6.3-11 (bookworm) |
| debian | krb5 | < krb5 1.3.6-2 (bookworm) | krb5 1.3.6-2 (bookworm) |
| heimdal_project | heimdal | >= 0 < 0.6.3-11 | 0.6.3-11 |
| heimdal_project | heimdal | >= 0 < 0.6.3-11 | 0.6.3-11 |
| heimdal_project | heimdal | >= 0 < 0.6.3-11 | 0.6.3-11 |
| heimdal_project | heimdal | >= 0 < 0.6.3-11 | 0.6.3-11 |
| mit | krb5 | >= 0 < 1.3.6-2 | 1.3.6-2 |
| mit | krb5 | >= 0 < 1.3.6-2 | 1.3.6-2 |
| mit | krb5 | >= 0 < 1.3.6-2 | 1.3.6-2 |
| mit | krb5 | >= 0 < 1.3.6-2 | 1.3.6-2 |
| ncsa | telnet | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
| telnetd | telnetd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger is a malicious Telnet server sending IAC SB responses with a large number of characters requiring escaping (e.g., 0xFF bytes), causing heap overflow in env_opt_add() in telnet.c ↗
- →The exploit payload uses repeated IAC SB (0xFF 0xFA) option subnegotiation sequences (0x372\42\3\377\377\3\3 repeated 43 times) followed by IAC SE (0xFF 0xF0), delivered over TCP port 23 — monitor for anomalous Telnet subnegotiation traffic with high-density 0xFF escape sequences ↗
- →Vulnerable function is env_opt_add() in telnet.c; look for process crashes or unexpected code execution in telnet client processes after connecting to an untrusted server ↗
- →Attack vector is a malicious/rogue Telnet server — any outbound Telnet (TCP/23) connection to an untrusted host should be treated as a potential exploitation vector for this CVE ↗
- ·Red Hat Enterprise Linux 5 is not affected due to a backported patch; do not flag RHEL5 systems as vulnerable ↗
- ·Debian fix is in package version 1.3.6-2; systems running earlier versions of the netkit-telnet package across bookworm/bullseye/trixie/forky/sid are vulnerable ↗
- ·CVE-2005-0468 is distinct from the related Heimdal telnetd overflow CVE-2005-2040; do not conflate the two when scoping affected packages ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Kerberos vulnerabilities
vendor_ubuntu·2005-12-06·CVSS 7.5
CVE-2005-0468 [HIGH] Kerberos vulnerabilities
Title: Kerberos vulnerabilities
Summary: Kerberos vulnerabilities
Gaël Delalleau discovered a buffer overflow in the env_opt_add()
function of the Kerberos 4 and 5 telnet clients. By sending specially
crafted replies, a malicious telnet server could exploit this to
execute arbitrary code with the privileges of the user running the
telnet client. (CVE-2005-0468)
Gaël Delalleau discovered a buffer overflow in the handling of the
LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By
sending a specially constructed reply containing a large number of SLC
(Set Local Character) commands, a remote attacker (i. e. a malicious
telnet server) could execute arbitrary commands with the privileges of
the user running the telnet client. (CVE-2005-0469)
Daniel Wachdorf discovered two remot
Red Hat
security flaw
vendor_redhat·2005-03-28·CVSS 7.5
CVE-2005-0468 [HIGH] security flaw
security flaw
Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2005-0468: krb5 - Heap-based buffer overflow in the env_opt_add function in telnet.c for various B...
vendor_debian·2005·CVSS 7.5
CVE-2005-0468 [HIGH] CVE-2005-0468: krb5 - Heap-based buffer overflow in the env_opt_add function in telnet.c for various B...
Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
Scope: local
bookworm: resolved (fixed in 1.3.6-2)
bullseye: resolved (fixed in 1.3.6-2)
forky: resolved (fixed in 1.3.6-2)
sid: resolved (fixed in 1.3.6-2)
trixie: resolved (fixed in 1.3.6-2)
Debian
CVE-2005-2040: heimdal - Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal...
vendor_debian·2005·CVSS 7.5
CVE-2005-2040 [HIGH] CVE-2005-2040: heimdal - Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal...
Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0.6.5 may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2005-0468 and CVE-2005-0469.
Scope: local
bookworm: resolved (fixed in 0.6.3-11)
bullseye: resolved (fixed in 0.6.3-11)
forky: resolved (fixed in 0.6.3-11)
sid: resolved (fixed in 0.6.3-11)
trixie: resolved (fixed in 0.6.3-11)
GHSA
GHSA-7xw6-7f8j-hr4m: Heap-based buffer overflow in the env_opt_add function in telnet
ghsa_unreviewed·2022-05-03
CVE-2005-0468 [HIGH] GHSA-7xw6-7f8j-hr4m: Heap-based buffer overflow in the env_opt_add function in telnet
Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
GHSA
GHSA-r4rj-wjf2-m94v: Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2005-2040 [HIGH] GHSA-r4rj-wjf2-m94v: Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0
Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0.6.5 may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2005-0468 and CVE-2005-0469.
OSV
CVE-2005-2040: Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0
osv·2005-06-20·CVSS 7.5
CVE-2005-2040 [HIGH] CVE-2005-2040: Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0
Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0.6.5 may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2005-0468 and CVE-2005-0469.
OSV
CVE-2005-0468: Heap-based buffer overflow in the env_opt_add function in telnet
osv·2005-05-02·CVSS 7.5
CVE-2005-0468 [HIGH] CVE-2005-0468: Heap-based buffer overflow in the env_opt_add function in telnet
Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.
No detection rules found.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.ascftp://patches.sgi.com/support/free/security/advisories/20050405-01-Phttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000962http://secunia.com/advisories/14745http://secunia.com/advisories/17899http://sunsolve.sun.com/search/document.do?assetkey=1-26-101665-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-101671-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txthttp://www.debian.de/security/2005/dsa-731http://www.debian.org/security/2005/dsa-703http://www.idefense.com/application/poi/display?id=221&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/341908http://www.mandriva.com/security/advisories?name=MDKSA-2005:061http://www.redhat.com/support/errata/RHSA-2005-327.htmlhttp://www.redhat.com/support/errata/RHSA-2005-330.htmlhttp://www.securityfocus.com/bid/12919http://www.ubuntulinux.org/usn/usn-224-1https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9640ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.ascftp://patches.sgi.com/support/free/security/advisories/20050405-01-Phttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000962http://secunia.com/advisories/14745http://secunia.com/advisories/17899http://sunsolve.sun.com/search/document.do?assetkey=1-26-101665-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-101671-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txthttp://www.debian.de/security/2005/dsa-731http://www.debian.org/security/2005/dsa-703http://www.idefense.com/application/poi/display?id=221&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/341908http://www.mandriva.com/security/advisories?name=MDKSA-2005:061http://www.redhat.com/support/errata/RHSA-2005-327.htmlhttp://www.redhat.com/support/errata/RHSA-2005-330.htmlhttp://www.securityfocus.com/bid/12919http://www.ubuntulinux.org/usn/usn-224-1https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9640
2005-05-02
Published