search menu icon-carat-right cmu-wordmark

CERT Coordination Center

AbsoluteTelnet vulnerable to buffer overflow via overly long window title

Vulnerability Note VU#666073

Original Release Date: 2003-02-07 | Last Revised: 2003-02-07

Overview

A remotely exploitable buffer overflow vulnerability exists in AbsoluteTelnet. This vulnerability may allow a malicious server operator to execute arbitrary code on a vulnerable client.

Description

AbsoluteTelnet is a terminal client. A remotely exploitable buffer overflow vulnerability exists in the code that sets the terminal titlebar. This vulnerability may allow a malicious server operator to execute arbitrary code. An exploit for this vulnerability is publicly available.

Impact

A malicious server operator may be able to execute arbitrary code on a host running AbsoluteTelnet.

Solution

Upgrade to AbsoluteTelnet version 2.12 RC10. For information on how to obtain 2.12 RC10, please see http://www.celestialsoftware.net/telnet/beta_software.html.

Vendor Information

666073
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Knud Erik Højgaard.

This document was written by Ian A Finlay.

Other Information

CVE IDs: None
Severity Metric: 22.20
Date Public: 2003-02-06
Date First Published: 2003-02-07
Date Last Updated: 2003-02-07 20:58 UTC
Document Revision: 10

Sponsored by CISA.