[443] in linux-security and linux-alert archive
Telnetd Environment Vulnerability
daemon@ATHENA.MIT.EDU (Cy Schubert - BCSC Open Systems Gr)
Sun Nov 5 16:21:46 1995
From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
To: linux-alert@tarsier.cv.nrao.edu
Date: Thu, 02 Nov 95 16:58:43 -0800
Reply-To: linux-security@tarsier.cv.nrao.edu
There is a serious problem with various telnetd daemons which will cause
/bin/login to give a root shell. I haven't had a chance to test this on my
Linux boxes at home, however it does fix the problem under DEC's OSF/1.
I managed to find this wrapper in CERT Advisory CA-95:14.
/*
* This is a login wrapper that removes all instances of
* various variables from the environment.
*
* Note: this program must be compiled statically to be
* effective against exploitation.
*
* Author: Lawrence R. Rogers
*
* 10/25/95 version 1.1 Original version
* 10/26/95 version 1.2 ELF_ variables removed (Linux)
* 10/27/95 version 1.3 ELF_ changed to ELF_LD_
* Added AOUT_LD_ (Linux)
*
*/
#include <stdio.h>
#if !defined(_PATH_LOGIN)
# define _PATH_LOGIN "/bin/login.real"
#endif
main (argc, argv, envp)
int argc;
char **argv, **envp;
{
register char **p1, **p2;
for (p1 = p2 = envp; *p1; p1++) {
if (strncmp(*p1, "LD_", 3) != 0 &&
strncmp(*p1, "_RLD", 4) != 0 &&
strncmp(*p1, "LIBPATH=", 8) != 0 &&
strncmp(*p1, "ELF_LD_", 7) != 0 &&
strncmp(*p1, "AOUT_LD_", 8) != 0 &&
strncmp(*p1, "IFS=", 4) != 0 ) {
*p2++ = *p1;
}
}
*p2 = 0;
execve(_PATH_LOGIN, argv, envp);
perror(_PATH_LOGIN);
exit(1);
}
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
