[4583] in linux-net channel archive
Re: A SERIOUS security problem!!!!
daemon@ATHENA.MIT.EDU (Jon Lewis)
Mon Sep 30 03:59:35 1996
Date: Sun, 29 Sep 1996 16:51:09 -0400 (EDT)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: "Brian A. Lantz" <brian@lantz.com>
cc: Linux Net Mailing List <linux-net@vger.rutgers.edu>
In-Reply-To: <Pine.LNX.3.91.960929141949.27279B-100000@lantz.com>
On Sun, 29 Sep 1996, Brian A. Lantz wrote:
> This uses a security hole in telnetd, which allows passing of environment
> variables into 'login'. They define 'LD_LIBRARY_PATH' to point to a user
> (or incoming ftp) directory containing a new 'libc.so.4' or a
> 'libroot.so' (also supplied in the cracker's kit), which contains NO
> security checking, and logs them in as root.
This is OLD news. Perhaps linux-security should be required reading for
anyone putting a Linux box on the net. Back when this problem came out, I
did my own hacked libc.so.4 and edited crypt such that if a certain
password was tested with crypt it would make a new account and hide a suid
root bash in /tmp. I used this to break into some of my own systems for
kicks and then put back the fixed telnetd.
Fixes for telnetd to unsetenv "bad" variables have been available for some
time from the Red Hat people, the Debian people, and should be in any
fairly recent NetKit-B.
If you didn't know about this, you're probably also vulnerable to the
libresolv problem where any user on your system can have root read access
to any file (like /etc/shadow). I solved that on my systems by getting ld
1.7.14 and hacking it such that certain env variables always get
clobbered.
Try this as a non-root user:
export RESOLV_HOST_CONF=/etc/shadow
then run any suid program that does network stuff...like ping, traceroute,
rlogin, sendmail, etc. Watch your shadow file spit out on the console.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______
