[460] in linux-security and linux-alert archive
Re: BoS: Telnetd Environment Vulnerability
daemon@ATHENA.MIT.EDU (Aleph One)
Mon Nov 6 17:22:42 1995
Date: Mon, 6 Nov 1995 15:45:23 -0600 (CST)
From: Aleph One <aleph1@dfw.net>
To: linux-security@tarsier.cv.nrao.edu
Cc: nobody@connect.com.au, linux-alert@tarsier.cv.nrao.edu
In-Reply-To: <9511061603.AA12451@sonic.nmti.com.nmti.com>
Althrough this is more secure you are making assmptions about what kind
of softwrare the site run. There may be any number of variable that are
plattaform indepenand, etc. The best fix I've seen yet is the aproach
taken by HP. You must tell the compiler by means of a flag that you want
your program to use the LD_* variables. This secures all software, but
mantains the flexibility for the developer how just needs to compile with
this flags.
The down side are that a) the gcc maintainers would have to add this to
the linux compiler (anyone on the gcc mailing list reading this?) b) all
software would have to be recompiled.
For now compiling telnetd to filter the unwated variables should do.
But it would be nice if the gcc people pick this tip up.
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
On Mon, 6 Nov 1995, Peter da Silva wrote:
[Mod: Quoting trimmed. --Jeff.]
> Wouldn't it be safer to do something like:
>
> if(strncmp(*p1, "TERM=", 5) == 0 ||
> strncmp(*p1, "DISPLAY=", 8) == 0) *p2++ = *p1;
>
> Is there any reason to copy the environment over to a possibly completely
> different architecture? There's only a few variables that really need to be
> transferred...
>
