[1230] in linux-security and linux-alert archive
Re: [linux-security] Attempt to break through ftp
daemon@ATHENA.MIT.EDU (Rob van Nieuwkerk)
Thu Oct 17 20:28:35 1996
From: Rob van Nieuwkerk <robn@verdi.et.tudelft.nl>
To: juphoff@tarsier.cv.nrao.edu (Jeff Uphoff)
Date: Thu, 17 Oct 1996 12:53:46 +0200 (MET DST)
Cc: fnevgeny@plasma-gate.weizmann.ac.il, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610162119.RAA00527@tarsier.cv.nrao.edu> from "Jeff Uphoff" at Oct 16, 96 05:19:08 pm
> Basic (remote) attack goes as follows:
>
> 1) FTP this library into a site's incoming area.
>
> 2) Start telnet.
>
> 3) Pass the fully-qualified path to the library in the remote system's
> FTP incoming area as $LD_PRELOAD via telnet's environment-passing
> features.
>
> 4) Connect to the remote system.
>
> 5) You've now got root on the remote system, without any authentication.
> Local attack varies in that you can use /tmp for stashing the library
> and then just connect to localhost. (These instructions can all be
> found in the readme for the source code.)
Does anyone know if SSH is vulnerable to this trick ?
Rob van Nieuwkerk