[1237] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Attempt to break through ftp

daemon@ATHENA.MIT.EDU (Bryan Reece)
Fri Oct 18 14:44:15 1996

Date: 18 Oct 1996 14:16:05 -0000
From: Bryan Reece <reece@taz.nceye.net>
To: robn@verdi.et.tudelft.nl
CC: juphoff@tarsier.cv.nrao.edu, fnevgeny@plasma-gate.weizmann.ac.il,
        linux-security@tarsier.cv.nrao.edu
In-reply-to: <199610171053.MAA00393@verdi.et.tudelft.nl> (message from Rob van
	Nieuwkerk on Thu, 17 Oct 1996 12:53:46 +0200 (MET DST))

   From: Rob van Nieuwkerk <robn@verdi.et.tudelft.nl>
   Date: Thu, 17 Oct 1996 12:53:46 +0200 (MET DST)

   > Basic (remote) attack goes as follows:
   > 
   > 1) FTP this library into a site's incoming area.
   > 
   > 2) Start telnet.
   > 
   > 3) Pass the fully-qualified path to the library in the remote system's
   >    FTP incoming area as $LD_PRELOAD via telnet's environment-passing
   >    features.
   > 
   > 4) Connect to the remote system.
   > 
   > 5) You've now got root on the remote system, without any authentication.

   > Local attack varies in that you can use /tmp for stashing the library
   > and then just connect to localhost.  (These instructions can all be
   > found in the readme for the source code.)

   Does anyone know if SSH is vulnerable to this trick ?

Shouldn't be, since it doesn't exec anything as root, and other than
TERM (whatever the client wants) and DISPLAY (set to a fake value if
the client wants), ssh seems not to let the client affect any
variables.

home help back first fref pref prev next nref lref last post