[506] in linux-security and linux-alert archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Another telnetd security problem?

daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Fri Dec 8 13:39:54 1995

From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 7 Dec 1995 15:48:23 +0100 (MET)

To be sure telnetd is not vulnerable to environment attacks, I suggest
to add one more check: environment variable names may not contain any
embedded '=' characters.

Below is a test program (it prints "IFS=bar" with libc-4.7.4 at least)
and one line fix (against the unofficial Debian netstd-1.23-1 telnetd).

Credits go to Sam Hartman <hartmans@mit.edu> who mentioned this problem
in a message sent to bugtraq on Oct 31.

Marek

#include <stdio.h>
#include <stdlib.h>

int main(void)
{
	setenv("IFS=foo", "bar", 1);
	printf("IFS=%s\n", getenv("IFS"));
	return 0;
}

diff -urN telnetd.orig/state.c telnetd/state.c
--- telnetd.orig/state.c	Mon Nov  6 12:56:21 1995
+++ telnetd/state.c	Thu Dec  7 14:25:33 1995
@@ -1063,6 +1063,7 @@
 		strncmp(varp, "ELF_LD_", strlen("ELF_LD_")) &&
 		strncmp(varp, "AOUT_LD_", strlen("AOUT_LD_")) &&
 		strncmp(varp, "_RLD_", strlen("_RLD_")) &&
+		!strchr(varp, '=') &&
 		strcmp(varp, "LIBPATH") &&
 		strcmp(varp, "ENV") &&
 		strcmp(varp, "IFS")) {


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[506] in linux-security and linux-alert archive

Another telnetd security problem?

daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)Fri Dec 8 13:39:54 1995

daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Fri Dec 8 13:39:54 1995