cbcvebase.
CVE-2005-0468
published 2005-05-02

CVE-2005-0468: Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via…

PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
27.07%
97.8th percentile
Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.

Affected

24 ranges
VendorProductVersion rangeFixed in
debianheimdal< heimdal 0.6.3-11 (bookworm)heimdal 0.6.3-11 (bookworm)
debiankrb5< krb5 1.3.6-2 (bookworm)krb5 1.3.6-2 (bookworm)
heimdal_projectheimdal>= 0 < 0.6.3-110.6.3-11
heimdal_projectheimdal>= 0 < 0.6.3-110.6.3-11
heimdal_projectheimdal>= 0 < 0.6.3-110.6.3-11
heimdal_projectheimdal>= 0 < 0.6.3-110.6.3-11
mitkrb5>= 0 < 1.3.6-21.3.6-2
mitkrb5>= 0 < 1.3.6-21.3.6-2
mitkrb5>= 0 < 1.3.6-21.3.6-2
mitkrb5>= 0 < 1.3.6-21.3.6-2
ncsatelnet
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd
telnetdtelnetd

Detection & IOCsextracted from sources · hover to see the quote

commandperl -e 'print "\377", "\372\42\3\377\377\3\3" x 43, "\377\360"' | nc -l 23
  • Trigger is a malicious Telnet server sending IAC SB responses with a large number of characters requiring escaping (e.g., 0xFF bytes), causing heap overflow in env_opt_add() in telnet.c
  • The exploit payload uses repeated IAC SB (0xFF 0xFA) option subnegotiation sequences (0x372\42\3\377\377\3\3 repeated 43 times) followed by IAC SE (0xFF 0xF0), delivered over TCP port 23 — monitor for anomalous Telnet subnegotiation traffic with high-density 0xFF escape sequences
  • Vulnerable function is env_opt_add() in telnet.c; look for process crashes or unexpected code execution in telnet client processes after connecting to an untrusted server
  • Attack vector is a malicious/rogue Telnet server — any outbound Telnet (TCP/23) connection to an untrusted host should be treated as a potential exploitation vector for this CVE
  • ·Red Hat Enterprise Linux 5 is not affected due to a backported patch; do not flag RHEL5 systems as vulnerable
  • ·Debian fix is in package version 1.3.6-2; systems running earlier versions of the netkit-telnet package across bookworm/bullseye/trixie/forky/sid are vulnerable
  • ·CVE-2005-0468 is distinct from the related Heimdal telnetd overflow CVE-2005-2040; do not conflate the two when scoping affected packages

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.