Telnetd telnet server in IRIX 5.2 through 6.1 does not properly cleans user-injected format strings, which allows remote attackers to execute arbitrary commands via a long RLD variable in the IAC-SB-TELOPT_ENVIRON request.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Irix | Sgi | 5.2 (including) | 5.2 (including) |
| Irix | Sgi | 5.3 (including) | 5.3 (including) |
| Irix | Sgi | 6.0 (including) | 6.0 (including) |
| Irix | Sgi | 6.0.1 (including) | 6.0.1 (including) |
| Irix | Sgi | 6.1 (including) | 6.1 (including) |
| Irix | Sgi | 6.2 (including) | 6.2 (including) |
| Irix | Sgi | 6.3 (including) | 6.3 (including) |
| Irix | Sgi | 6.4 (including) | 6.4 (including) |
| Irix | Sgi | 6.5 (including) | 6.5 (including) |
| Irix | Sgi | 6.5.1 (including) | 6.5.1 (including) |
| Irix | Sgi | 6.5.2m (including) | 6.5.2m (including) |
| Irix | Sgi | 6.5.3 (including) | 6.5.3 (including) |
| Irix | Sgi | 6.5.3f (including) | 6.5.3f (including) |
| Irix | Sgi | 6.5.3m (including) | 6.5.3m (including) |
| Irix | Sgi | 6.5.4 (including) | 6.5.4 (including) |
| Irix | Sgi | 6.5.6 (including) | 6.5.6 (including) |
| Irix | Sgi | 6.5.7 (including) | 6.5.7 (including) |
| Irix | Sgi | 6.5.8 (including) | 6.5.8 (including) |