[1230] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Attempt to break through ftp

daemon@ATHENA.MIT.EDU (Rob van Nieuwkerk)
Thu Oct 17 20:28:35 1996

From: Rob van Nieuwkerk <robn@verdi.et.tudelft.nl>
To: juphoff@tarsier.cv.nrao.edu (Jeff Uphoff)
Date: Thu, 17 Oct 1996 12:53:46 +0200 (MET DST)
Cc: fnevgeny@plasma-gate.weizmann.ac.il, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610162119.RAA00527@tarsier.cv.nrao.edu> from "Jeff Uphoff" at Oct 16, 96 05:19:08 pm

> Basic (remote) attack goes as follows:
> 
> 1) FTP this library into a site's incoming area.
> 
> 2) Start telnet.
> 
> 3) Pass the fully-qualified path to the library in the remote system's
>    FTP incoming area as $LD_PRELOAD via telnet's environment-passing
>    features.
> 
> 4) Connect to the remote system.
> 
> 5) You've now got root on the remote system, without any authentication.

> Local attack varies in that you can use /tmp for stashing the library
> and then just connect to localhost.  (These instructions can all be
> found in the readme for the source code.)

Does anyone know if SSH is vulnerable to this trick ?

	Rob van Nieuwkerk

home help back first fref pref prev next nref lref last post