[502] in linux-security and linux-alert archive
Linux Security FAQ Update#8: CERT-95:14 - Telnetd fixes for Linux
daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Wed Dec 6 18:54:12 1995
Date: Tue, 5 Dec 1995 16:20:16 -0500 (EST)
From: "Alexander O. Yuriev" <alex@bach.cis.temple.edu>
To: Linux Security Mailing List <linux-security@tarsier.cv.nrao.edu>
cc: Matt Bishop <bishop@cs.ucdavis.edu>,
Linux Announce Submit <linux-announce@stc06.ctd.ornl.gov>,
Russ DeFlavia <russ@tarkus.ocis.temple.edu>,
big-linux-mailing-list <big-linux@netspace.org>
-----BEGIN PGP SIGNED MESSAGE-----
Linux Security FAQ Update
telnetd(8), Shared Libraries and login Program Vulnerability
November 28, 1995 09:58:42 EST
Copyright (C) 1995 Alexander O. Yuriev (alex@bach.cis.temple.edu)
CIS Laboratories
TEMPLE UNIVERSITY
U.S.A.
=============================================================================
This is an official update of the Linux security FAQ, and it is supposed to
be signed by one of the following PGP keys:
1024/EFE347AD 1995/02/17 Olaf Kirch <okir@monad.swb.de>
1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <Alexander O. Yuriev>
Unless you are able to verify at least one of signatures, please be very
careful when following instructions.
Linux Security WWW: http://bach.cis.temple.edu/pub/linux/linux-security
linux-security & linux-alert mailing list archives:
ftp://linux.nrao.edu/pub/linux/security/list-archive
=============================================================================
ABSTRACT:
Most of Linux distributions with the release date prior to
Nov 15, 1995 are subject to the vulnerability of shared
/bin/login and telnetd(8) described in the CERT Advisory CA:
95-14. This update is a summary of the information from
linux-security mailing list and information about the
distribution specific patches.
AFFECTED DISTRIBUTIONS:
At the present time it is believed by every single Linux
distribution released prior to Nov 15, 1995 that does not
have statically linked login program (usually /bin/login)
is affected. It is also believed that those who installed
shadow support subsystem on their systems made their
systems vulnerable to the attack.
RISK ASSESSMENT:
It came to our attention that a small but a vital mistake
made by CERT in the analysis of the vulnerability: in order
to exploit the security bug, the intruder has to first gain
access to a part of filesystem of the attacked system.
It includes (but is not limited to) the following types of
access in addition to the shell access.
a) System allows anonymous FTP uploads
b) Intruder is able to gain access that allows
the intruder to write to a fileserver used
by the system (that includes NFS, Netware,
Samba, etc)
DISTRIBUTION FIXES:
Red Hat Commercial Linux 2.1
----------------------------
This Linux distribution is not vulnerable as long
as Red Hat's NetKit is used. ld.so of this
distribution needs to be updated. Please use
appropriate Red Hat Commercial Linux 2.0 RPM.
Red Hat Commercial Linux 2.0
----------------------------
Obtain the secure NetKit from one of the
following URLs:
ftp://ftp.pht.com/pub/linux/redhat/redhat-2.0/updates/RPMS/NetKit-B-0.06-4.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/security/DISTRIBUTION-FIXES/RedHat2.0/NetKit-B-0.06-4.i386
ftp://linux.nrao.edu/pub/security//DISTRIBUTION-FIXES/NetKit-B-0.06-4.i386.rpm
Red Hat Commercial Linux 2.0 also has an updated
ld.so package. It can be obtained from one of the
following URLs
ftp://ftp.pht.com/pub/linux/redhat/redhat-2.1/updates/RPMS/ld.so-1.7.11-1.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/security/DISTRIBUTION-FIXES/RedHat2.0/ld.so-1.7.11-1.i386.rpm
ftp://linux.nrao.edu/pub/security//DISTRIBUTION-FIXES/RedHat2.0/ld.so-1.7.11-1.i386.rpm
Please verify the MD5 hash of the files prior to
installing them.
c49062435e48c215b19239ce4924ffb2 NetKit-B-0.06-4.i386.rpm
0f8b92359f4f085a2a01935d71033877 ld.so-1.7.11-1.i386.rpm
Caldera Network Desktop:
------------------------
Preview I
---------
This release is believed to be vulnerable. Due to
the fact that Caldera corportation provieded a free
upgrade to Preview II for Preview I users, no one
should be affected.
Preview II
----------
Please apply the patch mentioned in the Red Hat 2.0
section of the Update.
Slackware:
----------
Slackware distributions prior to version 3.0 are
vulnerable. If you use distributions prior to
version 3.0 you should consider upgrading to
Slackware 3.0
Patrick J. Volkerding provided information about
the official Slackware 3.0 patch. It can be
obtained from the following URLs:
ftp://ftp.cdrom.com/pub/linux/slackware/patches/telnetd-patch.tgz
ftp://bach.cis.temple.edu/pub/Linux/security/DISTRIBUTION-FIXES/Slackware-3.0/telnetd-patch.tgz
ftp://linux.nrao.edu/pub/security/DISTRIBUTION-FIXES/Slackware-3.0/telnetd-patch.tgz
Please verify the MD5 hash of the file prior to
installing it.
9cab4aea8d60695c478ad9dfc042502a telnetd-patch.tgz
Debian:
-------
The official patch for the Debian/GNU Linux can be
obtained from the following URLs:
ftp://ftp.debian.org/debian/debian-0.93/binary/net/netstd-1.21-1.deb
ftp://bach.cis.temple.edu/pub/Linux/security/DISTRIBUTION-FIXES/Debian/netstd-1.21-1.deb
ftp://linux.nrao.edu/pub/Linux/security/DISTRIBUTION-FIXES/Debian/netstd-1.21-1.deb
Please verify the MD5 hash of the file prior to
installing it.
3d055184d2708c1fa0ea36c412f05cf2 netstd-1.21-1.deb
The Debian distribution also released updated ld.so
loader which is available at one of the following
URLs:
ftp://ftp.debian.org/debian/debian-0.93/binary/base/ld.so-1.7.10-1.deb
ftp://bach.cis.temple.edu/pub/Linux/security/DISTRIBUTION-FIXES/Debian/ld.so-1.7.10-1.deb
Please verify the MD5 hash of the file prior to
installing it.
eb9a54d375ded510ba266835a2eacefc ld.so-1.7.10-1.deb
Yggdrasil:
----------
Yggdrasil Computing Inc. did not provide any
information about the patch, although their
distributions are believed to be vulnerable.
Other Distributions:
--------------------
The vulnerable telnetd binary can be replaced
by compiling Debian NetKit. It can be obtained
from one of the following URLs:
ftp://ftp.debian.org/debian/debian-1.0/source/net/netstd-1.23-1/telnet*
As this is not the official package, no MD5 hash
is provided.
ADDITIONAL INFORMATION:
Some official fixes addressed the problem by replacing
the telnet daemon with the one that does not allow certain
environment variables to be passed. Unfortunately, this
solution has its own drawbacks. It is recommended that in
addition to installing the distribution specific patch
system administrator performs an upgrade ld.so to ld.so
version 1.7.11 which ignores alternative shared libraries for
setuid or setgid programs.
ftp://ftp.ods.com/pub/linux/ld.so-1.7.11.tar.gz
ftp://bach.cis.temple.edu/pub/Linux/security/ld.so-1.7.11.tar.gz
ftp://linux.nrao.edu/pub/security/ld.so/ld.so-1.7.11.tar.gz
Please verify MD5 hash of the file prior to installing it.
e25b2f00783cd9eaea4f27edf2fb4694 ld.so-1.7.11.tar.gz
CREDITS:
We appreciate the help of the distribution maintainers who
provided us with the information:
Marc R. Ewing <marc@redhat.com>
Patrick J. Volkerding <volkerdi@mhd1.moorhead.msus.edu>
Peter Tobias <tobias@server.et-inf.fho-emden.de>
Alan Cox <iialan@iifeak.swan.ac.uk>
David Engel <david@elo.ods.com>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMMS1IIxFUz2t8+6VAQFoGQP9EkTdruM7SZBF0UHmxvKwdD+bvOSFsP4S
/DpoHi1w4TjZ9odbpbVHPp5UUKkslYIw+EDF1/XblqmMfgl8palA4KxZ8Ll0D8nH
veYkEHCPI8lZX3AFOTT/u5yvd3qjpTlbC5GSbVqj47ySWvEtCVzZ+79MTN+5jjq+
dPHk6mmpJb8=
=qNfR
-----END PGP SIGNATURE-----
============================================================================
Alexander O. Yuriev Email: alex@bach.cis.temple.edu
CIS Labs, TEMPLE UNIVERSITY WWW: http://bach.cis.temple.edu/personal/alex
Philadelphia, PA, USA
KeyID: 1024/D62D4489 Key Fingerprint: AE84534377CCC4E2 37B13C4D8CD3D501
Unless otherwise stated, everything above is my personal opinion and not an
opinion of any organisation affiliated with me.
=============================================================================
