Multiple Telnet Client slc_add_reply() Buffer Overflow Vulnerability iDEFENSE Security Advisory 03.28.05 www.idefense.com/application/poi/display?id=220&type=vulnerabilities March 28, 2005 I. BACKGROUND The TELNET protocol allows virtual network terminals to be connected to over the internet. The initial description of the protocol was given in RFC854 in May 1983. Since then there have been many extra features added including encryption. II. DESCRIPTION Remote exploitation of an buffer overflow vulnerability error in multiple telnet clients may allow execution of arbitrary commands. The vulnerability specifically exists in the handling of the LINEMODE suboptions, in that there is no size check made on the output, which is stored in a fixed length buffer. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, it is possible to overflow this buffer with server supplied data. III. ANALYSIS Successful exploitation would allow a remote attacker to execute arbitrary code in the context of the user which initiated the telnet process. In order to exploit this vulnerability, an attacker would need to convince the user to connect to their malicious server. It may be possible to automatically launch the telnet command from a webpage, for example: