Kerberos telnet Crafted Username Remote Authentication Bypass

High Nessus Plugin ID 24998


It is possible to log into the remote host using telnet without supplying any credentials.


An authentication bypass vulnerability exists in the MIT krb5 telnet daemon due to a failure to sanitize malformed usernames. This allows usernames beginning with '-e' to be interpreted as a command-line flag by the login.krb5 program. A remote attacker can exploit this, via a crafted username, to cause login.krb5 to execute part of the BSD rlogin protocol, which in turn allows the attacker to login with an arbitrary username without a password or any further authentication.


Apply the fixes described in MIT krb5 Security Advisory 2007-001, or contact your vendor for a patch.

See Also

Plugin Details

Severity: High

ID: 24998

File Name: krb_telnet_env.nasl

Version: $Revision: 1.24 $

Type: remote

Published: 2007/04/05

Modified: 2016/05/11

Dependencies: 17975

Risk Information

Risk Factor: High


Base Score: 7.6

Temporal Score: 6.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:mit:kerberos

Excluded KB Items: global_settings/supplied_logins_only

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 2007/04/03

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2007-0956

BID: 23281

OSVDB: 34106

CERT: 220816