[4608] in linux-net channel archive
Re: A SERIOUS security problem!!!!
daemon@ATHENA.MIT.EDU (David Bonn)
Mon Sep 30 22:25:14 1996
Date: Mon, 30 Sep 1996 14:32:19 -0700
From: David Bonn <david@sealabs.com>
To: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.91.960930071254.25146C-100000@lantz.com>
CC entries trimmed. I don't see why Linus and Alan need a extra copy
of this.
>>>>> "Brian" == Brian A Lantz <brian@lantz.com> writes:
>>>>> "Alan" == Alan Cox <alan@cymru.net> writes:
Brian> This uses a security hole in telnetd, which allows passing of
Brian> environment variables into 'login'. They define
Brian> 'LD_LIBRARY_PATH' to point to a user (or incoming ftp)
Brian> directory containing a new 'libc.so.4' or a 'libroot.so' (also
Brian> supplied in the cracker's kit), which contains NO security
Brian> checking, and logs them in as root.
Alan> Yawn. If you followed any security list (even cert announce) you'd know
Alan> this problem across multiple architectures was reported and
Alan> fixed over a year ago
Brian> Yawn, I KNOW it WAS found long ago, but I also know that there are MANY
Brian> who did not hear of it!
One key question is how many of the people who haven't heard of it are
at risk. Recent Redhat distributions certainly have this hole fixed,
and all of the distribution makers are pretty good about providing
prompt security problem bugfixes. If you are using Linux you should
make some effort to track these updates.
A good source for such information is the Linux Security WWW site at
http://bach.cis.temple.edu:80/linux/linux-security/
I especially recommend subscribing to the linux-alert mailing list for
prompt notification of such problems.
This particular problem was reported as an alert on November 28th,
1995. If you want to more about the telnet hole and how to
fix it, check out:
http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-telnetd.html
According to this page, if you are running Slackware 3.0 or later,
Redhat 2.1 or later, Caldera Network Desktop (the previews are
vulnerable!), or a recent Debian distribution (I don't know Debian
distributions) this IS NOT a problem for you.
'nuff said, back to Linux networking...
dwb
