COMMAND

    telnet

SYSTEMS AFFECTED

    FreeBSD, OpenBSD

PROBLEM

    Aaron Campbell posted following.  FreeBSD PR/6317 notes a  problem
    in the telnet(1) client.  The -E option disables escape characters
    entirely so it  is not supposed  to be possible  to escape to  the
    `telnet>' prompt.  However, if the -8 (binary) option is specified
    to  telnet  as  well  (i.e.,  telnet  -8E  ), sending a 0xFF
    character would indeed  still cause the  escape.  This  could be a
    security issue on systems that jail users in "canned" environments
    (i.e.,  lynx-only  freenet  systems)  but  allow use of the telnet
    client.   If  the  bug  described  above  were  present  and   the
    conditions  were  right,  a  user  may  be  able  to escape to the
    telnet> prompt and, for example, run shell commands using the  `!'
    mechanism.  Btw, Andrew Maltsev found it.

    If you want to test this on your system, it can be easily done  in
    X.   Open  up  an  xterm  and  type:  printf "\777\n" at the shell
    prompt.  Highlight and copy the strange character printed.  Now do
    a telnet -8E  and paste the character, see if it escapes  to
    the prompt. Ok, this might not work on all systems, but it  worked
    for some.

SOLUTION

    FreeBSD fixed this and OpenBSD adopted  the fix as well.  No  idea
    about the status of other operating systems.