[448] in linux-security and linux-alert archive
Re: telnetd shared lib hole
daemon@ATHENA.MIT.EDU (Erik Nygren)
Sun Nov 5 17:57:46 1995
To: Jon Lewis <jlewis@inorganic5.chem.ufl.edu>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Your message of "Wed, 01 Nov 1995 15:53:26 EST."
<Pine.LNX.3.91.951101155003.12164K-100000@inorganic5.chem.ufl.edu>
Date: Sun, 05 Nov 1995 16:33:47 -0500
From: Erik Nygren <nygren@MIT.EDU>
> Call me silly, but since this hole operates by "secretly replacing your
> real libc with Foldgers Crystals libc" and having telnetd use the bogus
> libc, would all this be fixed with no need for careful patching /
> environment cleaning if we simply compiled telnetd and statically linked
> it? Then it would need no shared libs, and you'd be unable to force it to
> load a hacked libc...no?
The problem is NOT that telnetd is dynamically linked. The problem
is that telnetd sets the environmental variables before it calls
login. In theory, statically linking login might fix the problem
but I haven't tested this. A much safer solution is to patch
telnetd not to set dangerous environmental variables.
Erik
[Mod: This is the tack that people are taking; it's being/been done.
--Jeff]
