[22180] in bugtraq
RE: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow
daemon@ATHENA.MIT.EDU (Vidovic,Zvonimir,VEVEY,GL-IS/CIS)
Fri Aug 10 10:53:35 2001
Message-ID: <535B280C27E1D2119A79000024C8B4BA08784EBA@vevics14.nestec.ch>
From: "Vidovic,Zvonimir,VEVEY,GL-IS/CIS" <Zvonimir.Vidovic@nestle.com>
To: "'psz@maths.usyd.edu.au'" <psz@maths.usyd.edu.au>,
bugtraq@securityfocus.com, zen-parse@gmx.net
Date: Fri, 10 Aug 2001 10:24:06 +0200
MIME-Version: 1.0
Content-Type: text/plain
fortunately, the debian guys did this by default in their excellent distro,
this prevents lots of exploitable machines to be readily accessible.
However, apt-get update and upgrade does fix the breach.
> -----Original Message-----
> From: psz@maths.usyd.edu.au [SMTP:psz@maths.usyd.edu.au]
> Sent: Thursday, 9. August 2001 23:38
> To: bugtraq@securityfocus.com; zen-parse@gmx.net
> Subject: Re: ADV/EXP: netkit <=0.17 in.telnetd remote buffer
> overflow
>
> zen-parse@gmx.net wrote:
>
> > If the user has local access to the system, it is possible to get the
> > program to set arbitrary environment variables in the environment of
> > /bin/login. e.g. LD_PRELOAD=/tmp/make-rootshell.so
>
> To protect against this (and possible bad environment processing within
> telnetd itself), create some otherwise unused group and make /bin/login
> setgid to that:
>
> # chown root._login_ /bin/login
> # chmod 6711 /bin/login
> # ls -l /bin/login
> -rws--s--x 1 root _login_ 24752 Aug 25 2000 /bin/login
>
> (Since telnetd runs as root, login has getuid==geteuid so the OS may
> follow
> LD_PRELOAD and similar variables. Using this login has getgid!=getegid and
> the OS should disallow such trickery.)
>
> Paul Szabo - psz@maths.usyd.edu.au
> http://www.maths.usyd.edu.au:8000/u/psz/
> School of Mathematics and Statistics University of Sydney 2006
> Australia
