[447] in linux-security and linux-alert archive
Re: telnetd shared lib hole
daemon@ATHENA.MIT.EDU (Jon Lewis)
Sun Nov 5 17:57:42 1995
Date: Sun, 5 Nov 1995 16:46:21 -0500 (EST)
From: Jon Lewis <jlewis@inorganic5.chem.ufl.edu>
To: Erik Nygren <nygren@MIT.EDU>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199511052133.QAA01598@foundation.mit.edu>
On Sun, 5 Nov 1995, Erik Nygren wrote:
> > Call me silly, but since this hole operates by "secretly replacing your
> > real libc with Foldgers Crystals libc" and having telnetd use the bogus
> > libc, would all this be fixed with no need for careful patching /
> > environment cleaning if we simply compiled telnetd and statically linked
>
> The problem is NOT that telnetd is dynamically linked. The problem
So I was silly....Shortly after my post, I compiled telnetd and found that
staticly linking it changed nothing. Login still was given the bogus
LD_LIBRARY_PATH and could still be made to do nasty things with a hacked
libc. It's been mentioned that static login will delay use of the hacked
libc until after login, where it can do relatively little harm.
As the original post said, a patched telnetd source can be gotten from
sites carrying the debian distribution.
I've finally compiled a hacked libc that takes advantage of this...so now
I can say that in.telnetd that comes with many versions of slackware (up
to 2.3 at least) is definitely vulnerable. The latest debian source for
telnetd is not.
------------------------------------------------------------------
Jon Lewis | Mime attachments are OK
jlewis@inorganic5.chem.ufl.edu | But please ask before sending
http://inorganic5.chem.ufl.edu | unsolicited huge files.
|
_____Finger jlewis@inorganic5.chem.ufl.edu for PGP public key_____
