[463] in linux-security and linux-alert archive
Re: Fwd: CERT Advisory CA-95:14 - Telnetd Environment Vulnerability
daemon@ATHENA.MIT.EDU (Mike McCammant)
Tue Nov 7 12:07:13 1995
Date: Tue, 7 Nov 1995 00:36:52 -0500 (EST)
From: Mike McCammant <mikemc@macshack.com>
To: linux-security@tarsier.cv.nrao.edu
cc: linux-alert@tarsier.cv.nrao.edu
In-Reply-To: <199511022325.SAA19520@foundation.mit.edu>
I completed compiling and installing the wrapper on my linux system
and it appears to work great.
However, I wanted info on who/when/how this was attempted.
So I added a few lines to do a syslog dump and close the connection.
If you don't want to close the connection, just remove the exit(1)
statement as noted in the code.
-------------------------cut here-------------------------
/*
* This is a login wrapper that removes all instances of
* various variables from the environment.
*
* Note: this program must be compiled statically to be
* effective against exploitation.
* /usr/bin/cc -static -D_PPATH_LOGIN=\"/bin/login.real\" -O wrap.c -o wrap
*
* Author: Lawrence R. Rogers
*
* 10/25/95 version 1.1 Original version
* 10/26/95 version 1.2 ELF_ variables removed (Linux)
* 10/27/95 version 1.3 ELF_ changed to ELF_LD_
* Added AOUT_LD_ (Linux)
*
* 11/6/95 version 1.4 Added a cheap dump of the argv array to
* syslog. I like to know ;)
* Mike McCammant (mikemc@macshack.com)
*
*/
#if !defined(_PPATH_LOGIN)
#define _PPATH_LOGIN "/bin/login.real"
#endif
#include <stdio.h>
#include <syslog.h>
main (argc, argv, envp)
int argc;
char **argv, **envp;
{
register char **p1, **p2;
int i;
for (p1 = p2 = envp; *p1; p1++) {
if (strncmp(*p1, "LD_", 3) != 0 &&
strncmp(*p1, "_RLD", 4) != 0 &&
strncmp(*p1, "LIBPATH=", 8) != 0 &&
strncmp(*p1, "ELF_LD_", 7) != 0 &&
strncmp(*p1, "AOUT_LD_", 8) != 0 &&
strncmp(*p1, "IFS=", 4) != 0 ) {
*p2++ = *p1;
}
else {
/* here is a break in ??? */
syslog(LOG_ALERT, "Breakin attempt: %s", *p1);
for(i=0;i<argc; i++)
syslog(LOG_ALERT, "Breakin dump: argv[%d] = %s",
i, argv[i]);
/* remove the next line to keep connection open */
exit(1);
}
}
*p2 = 0;
execve(_PPATH_LOGIN, argv, envp);
perror(_PPATH_LOGIN);
exit(1);
}
------------------------- cut here -------------------
Mike - mikemc@macshack.com - Home of the JEO-Counter, graphic WWW counter
/---------------------------------------\ My opinions belong to me,
| Visit us at http://www.macshack.com | myself and I, not my employer,
\......................................./ the government or my wife...:)
