[22168] in bugtraq
Re: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow
daemon@ATHENA.MIT.EDU (Paul Szabo)
Thu Aug 9 18:58:11 2001
Date: Fri, 10 Aug 2001 07:37:42 +1000 (EST)
From: psz@maths.usyd.edu.au (Paul Szabo)
Message-Id: <200108092137.f79Lbgs175270@milan.maths.usyd.edu.au>
To: bugtraq@securityfocus.com, zen-parse@gmx.net
zen-parse@gmx.net wrote:
> If the user has local access to the system, it is possible to get the
> program to set arbitrary environment variables in the environment of
> /bin/login. e.g. LD_PRELOAD=/tmp/make-rootshell.so
To protect against this (and possible bad environment processing within
telnetd itself), create some otherwise unused group and make /bin/login
setgid to that:
# chown root._login_ /bin/login
# chmod 6711 /bin/login
# ls -l /bin/login
-rws--s--x 1 root _login_ 24752 Aug 25 2000 /bin/login
(Since telnetd runs as root, login has getuid==geteuid so the OS may follow
LD_PRELOAD and similar variables. Using this login has getgid!=getegid and
the OS should disallow such trickery.)
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
