[645] in linux-security and linux-alert archive
[linux-security] sliplogin hole explanation
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Fri Mar 29 20:51:09 1996
to: linux-security@tarsier.cv.nrao.edu
Date: Sat, 30 Mar 1996 02:16:57 +0100
From: Olaf Kirch <okir@monad.swb.de>
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
Hi all,
here's the explanation of the sliplogin hole I reported earlier.
We all know that you can pass most environment variables to a login
shell when started through telnetd. Assuming you have the password for a
sliplogin account on a Linux box, you can pass the ENV variable in this
fashion.
The attack goes something like this:
ENV='`/evil/command`' telnet
telnet> environ export ENV
telnet> open targethost
You then log into your regular slip account, which executes sliplogin as
your login shell. Sliplogin, in turn, runs the /etc/slip.login shell
script using bash. At startup, bash evaluates *and expands* ENV to
obtain the name of a startup file to use instead of .bashrc, and
faithfully executes /evil/command. This is particularly nasty since
sliplogin runs the login/logout scripts under the real and effective uid
of root in order to be able to manipulate network interfaces and routing
tables.
The fix in the new version of sliplogin is to clean out the entire
environment, and pass only a predefined PATH variable when running
slip.login or slip.logout.
Best wishes
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBMVyLiOFnVHXv40etAQFbQgQAuRMKre44MS75FuGpOLjuVv0yuucRa3g/
WMRwTRSwPq+UiQfuX2c3x7RJInduvZ9TFABZdn5P0x8PulWZkAaZiA/zieFXyJTO
JfedAFIirbujFoqBGSqpwZbGVLzuum3asZSudNTHzM0FcZddrmvIEsdSKu2ZI2qd
FJ9WGpTf1/o=
=of6d
-----END PGP SIGNATURE-----
