xtell Information Disclosure Vulnerability

vendor:

xtell

by:

SecurityFocus

3.3

CVSS

MEDIUM

Information Disclosure

200

CWE

Product Name: xtell

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, BSD and most other Unix based operating systems

2002

xtell Information Disclosure Vulnerability

An information disclosure vulnerability has been reported in some versions of xtell. When a message is sent to a user, the response generated by xtell states whether that user is currently logged on to the system. An attacker may be able to use this information to aid in additional attacks, or in social engineering attempts. It is possible to send a maliciously formatted message to xtell such that this information is disclosed, yet no message is displayed or logged. This may allow the attack to go undetected.

Mitigation:

Upgrade to the latest version of xtell.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4196/info

xtell is a simple network messaging program. It may be used to transmit terminal messages between users and machines. xtell is available for Linux, BSD and most other Unix based operating systems.

An information disclosure vulnerability has been reported in some versions of xtell. When a message is sent to a user, the response generated by xtell states whether that user is currently logged on to the system. An attacker may be able to use this information to aid in additional attacks, or in social engineering attempts.

It is possible to send a maliciously formatted message to xtell such that this information is disclosed, yet no message is displayed or logged. This may allow the attack to go undetected.

Earlier versions of xtell may share this vulnerability. This has not been confirmed. 

echo :USER::`perl -e 'print "A" x 2000'`| nc victimhost 4224