CAN 2002-0332
Buffer overflows in the code which processes reverse
host name resolution, data returned by the
auth service, and output data could
allow a remote attacker to execute arbitrary commands.
Access to one's own DNS server or a fake ident
server would be required for an attacker to exploit
the first two buffer overflows, and helpful but not necessarily
required for the last one.
xtelld does not verify that the TTY provided by the client is the valid terminal device for the user. By manipulating the TTY field, an attacker could write to arbitrary devices in the /dev directory.
CAN 2002-0333
Furthermore, using a directory traversal (../) attack,
the attacker could create files outside the /dev directory,
but since the TTY field is limited to eight characters the possibilities
for remote exploitation are limited.
xtelld returns different response codes depending upon whether or not the intended recipient is currently logged in. This condition reveals information that would normally be unavailable if the finger and rusers services were shut off. This information could be useful to an attacker in planning an attack.