[482] in linux-security and linux-alert archive
Re: Fwd: CERT Advisory CA-95:14 - Telnetd Environment Vulnerability
daemon@ATHENA.MIT.EDU (Jacob Langseth)
Thu Nov 9 21:55:20 1995
Date: Thu, 9 Nov 1995 21:23:21 -0500
To: linux-security@tarsier.cv.nrao.edu
From: jacob@esisys.com (Jacob Langseth)
>So I added a few lines to do a syslog dump and close the connection.
>If you don't want to close the connection, just remove the exit(1)
>statement as noted in the code.
WAIT! Do NOT remove the exit(1) unless you also add code to clear the
environment variables. If you do not, this will simply log that a hack
was attempted and do nothing to prevent it...
> for (p1 = p2 = envp; *p1; p1++) {
> if (strncmp(*p1, "LD_", 3) != 0 &&
> strncmp(*p1, "_RLD", 4) != 0 &&
> strncmp(*p1, "LIBPATH=", 8) != 0 &&
> strncmp(*p1, "ELF_LD_", 7) != 0 &&
> strncmp(*p1, "AOUT_LD_", 8) != 0 &&
> strncmp(*p1, "IFS=", 4) != 0 ) {
> *p2++ = *p1;
> }
> else {
> /* here is a break in ??? */
>
> syslog(LOG_ALERT, "Breakin attempt: %s", *p1);
> for(i=0;i<argc; i++)
> syslog(LOG_ALERT, "Breakin dump: argv[%d] = %s",
> i, argv[i]);
> /* remove the next line to keep connection open */
> exit(1);
> }
> }
>
> *p2 = 0;
> execve(_PPATH_LOGIN, argv, envp);
> perror(_PPATH_LOGIN);
> exit(1);
Also, while I'm posting, there is a security flaw with the updatedb
command.
According to the manpages, updatedb executes as daemon by default
(to preserve directory permissions). Unfortunately it fails to set
its UID to daemon's before executing the find, and (at least in my
Slackware distribution) updatedb is ran via a cronjob as ROOT. This
allows anyone using the 'locate' command to view the entire file
system.
While this isn't a direct security threat, it does effectively negate
directory read permissions and should be fixed.
To have updatedb to run as daemon:
1) relocate the updatedb command from root's cronjob to daemon's
2) chown -R daemon.daemon /var/spool/locate
Musashi
--
Jacob Langseth -=-finger for PGP key-=-
Enhanced Systems, Inc. email: jacob@esisys.com
6961 PeachTree Ind Blvd voice: (404) 662-1504 ext. 684
Norcross, GA 30092 fax: (404) 662-1537
