[1237] in linux-security and linux-alert archive
Re: [linux-security] Attempt to break through ftp
daemon@ATHENA.MIT.EDU (Bryan Reece)
Fri Oct 18 14:44:15 1996
Date: 18 Oct 1996 14:16:05 -0000
From: Bryan Reece <reece@taz.nceye.net>
To: robn@verdi.et.tudelft.nl
CC: juphoff@tarsier.cv.nrao.edu, fnevgeny@plasma-gate.weizmann.ac.il,
linux-security@tarsier.cv.nrao.edu
In-reply-to: <199610171053.MAA00393@verdi.et.tudelft.nl> (message from Rob van
Nieuwkerk on Thu, 17 Oct 1996 12:53:46 +0200 (MET DST))
From: Rob van Nieuwkerk <robn@verdi.et.tudelft.nl>
Date: Thu, 17 Oct 1996 12:53:46 +0200 (MET DST)
> Basic (remote) attack goes as follows:
>
> 1) FTP this library into a site's incoming area.
>
> 2) Start telnet.
>
> 3) Pass the fully-qualified path to the library in the remote system's
> FTP incoming area as $LD_PRELOAD via telnet's environment-passing
> features.
>
> 4) Connect to the remote system.
>
> 5) You've now got root on the remote system, without any authentication.
> Local attack varies in that you can use /tmp for stashing the library
> and then just connect to localhost. (These instructions can all be
> found in the readme for the source code.)
Does anyone know if SSH is vulnerable to this trick ?
Shouldn't be, since it doesn't exec anything as root, and other than
TERM (whatever the client wants) and DISPLAY (set to a fake value if
the client wants), ssh seems not to let the client affect any
variables.