[441] in linux-security and linux-alert archive
SSLtelnet patch
daemon@ATHENA.MIT.EDU (Aleph One)
Sun Nov 5 16:21:36 1995
Date: Wed, 1 Nov 1995 20:07:19 -0600 (CST)
From: Aleph One <aleph1@dfw.net>
To: ssl-users@mincom.oz.au
Cc: linux-security@tarsier.cv.nrao.edu
This patch address the current CERT advisory about the telnet
vulnerability. It was created under linux using SSLtelnet 0.2.
Iam not sure what the latest is but here it is anyway.
You need to change LD_LIBRARY_PATH to whatever is dangerous in your
OS.
diff -u -r SSLtelnet-0.2/telnetd/Makefile SSLtelnet-0.2-new/telnetd/Makefile
--- SSLtelnet-0.2/telnetd/Makefile Tue Aug 15 16:53:25 1995
+++ SSLtelnet-0.2-new/telnetd/Makefile Wed Nov 1 16:01:32 1995
@@ -7,7 +7,7 @@
CFLAGS= -DTERMCAP -DKLUDGELINEMODE -DUSE_TERMIO -DAUTHENTICATE -DUSE_SSL \
-DDIAGNOSTICS -DFILIO_H \
-I../lib -I../lib/libbsd/include \
- -I$(SSLTOP)/include
+ -I$(SSLTOP)/include -O2 -m486
LIBS= ../lib/libtelnet/libtelnet.a \
../lib/libutil/libutil.a \
diff -u -r SSLtelnet-0.2/telnetd/state.c SSLtelnet-0.2-new/telnetd/state.c
--- SSLtelnet-0.2/telnetd/state.c Thu Oct 14 13:49:12 1993
+++ SSLtelnet-0.2-new/telnetd/state.c Wed Nov 1 16:56:41 1995
@@ -1257,9 +1257,27 @@
case ENV_VAR:
*cp = '\0';
- if (valp)
+ if (valp) {
+ if (!strcmp(varp, "LD_LIBRARY_PATH")) {
+ char *host;
+ struct hostent *hp;
+ struct sockaddr_in from;
+ int i, fromlen = sizeof(from);
+
+ if (!getpeername(0, (struct sockaddr *)&from, &fromlen)) {
+ hp = gethostbyaddr((char *)&from.sin_addr, sizeof(struct in_addr), from.sin_family);
+ if (hp)
+ host = hp->h_name;
+ else
+ host = inet_ntoa(from.sin_addr);
+ syslog(LOG_ALERT, "Breakin attempt from %s: '%s=%s'", host, varp, valp);
+ } else {
+ syslog(LOG_ALERT, "Breakin attempt: '%s=%s'", varp, valp);
+ }
+ exit(1);
+ }
(void)setenv(varp, valp, 1);
- else
+ } else
unsetenv(varp);
cp = varp = (char *)subpointer;
valp = 0;
@@ -1276,9 +1294,27 @@
}
}
*cp = '\0';
- if (valp)
+ if (valp) {
+ if (!strcmp(varp, "LD_LIBRARY_PATH")) {
+ char *host;
+ struct hostent *hp;
+ struct sockaddr_in from;
+ int i, fromlen = sizeof(from);
+
+ if (!getpeername(0, (struct sockaddr *)&from, &fromlen)) {
+ hp = gethostbyaddr((char *)&from.sin_addr, sizeof(struct in_addr), from.sin_family);
+ if (hp)
+ host = hp->h_name;
+ else
+ host = inet_ntoa(from.sin_addr);
+ syslog(LOG_ALERT, "Breakin attempt from %s: '%s=%s'", host, varp, valp);
+ } else {
+ syslog(LOG_ALERT, "Breakin attempt: '%s=%s'", varp, valp);
+ }
+ exit(1);
+ }
(void)setenv(varp, valp, 1);
- else
+ } else
unsetenv(varp);
break;
} /* end of case TELOPT_ENVIRON */
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
