[6089] in Kerberos
Re: Telnet vulnerability--shared library loading
daemon@ATHENA.MIT.EDU (Mark Hittinger)
Wed Nov 1 12:13:28 1995
To: kerberos@MIT.EDU
Date: 1 Nov 1995 10:50:44 -0500
From: bugs@ns1.win.net (Mark Hittinger)
hartmans@MIT.EDU (Sam Hartman) writes:
> Last Minute Update
> The rest of this memo assumes that CERT released an advisory
> Affected Telnetds
> All telnetds derived from the Telnet package distributed by
>David Borman allow the environment options to be passed.
>* NetBSD and FreeBSD are distributed with a vulnerable
> telnetd. (See below for patch info.)
Below is a patch for 2.1-ish FreeBSD. I believe the 2.2-current has the
fix and I'm hoping 2.1R will get the fix before it goes gold. Thanks to
torstenb@freebsd.org for passing the fix on to me ahead of time :-)
Another fix is to perhaps relink login as static. Perhaps all SUID images
should be linked static as a matter of policy.
*** sys_term.org Sun Sep 10 04:39:50 1995
--- sys_term.c Wed Nov 1 10:43:32 1995
***************
*** 1556,1559 ****
--- 1556,1561 ----
#endif
+ scrub_env();
+
/*
* -h : pass on name of host.
***************
*** 1767,1770 ****
--- 1769,1798 ----
}
#endif /* NEWINIT */
+
+ /*
+ * scrub_env()
+ *
+ * Remove a few things from the environment that
+ * don't need to be there.
+ */
+ scrub_env()
+ {
+ register char **cpp, **cpp2;
+
+ for (cpp2 = cpp = environ; *cpp; cpp++) {
+ #ifdef __FreeBSD__
+ if (strncmp(*cpp, "LD_LIBRARY_PATH=", 16) &&
+ strncmp(*cpp, "LD_NOSTD_PATH=", 14) &&
+ strncmp(*cpp, "LD_PRELOAD=", 11) &&
+ #else
+ if (strncmp(*cpp, "LD_", 3) &&
+ strncmp(*cpp, "_RLD_", 5) &&
+ strncmp(*cpp, "LIBPATH=", 8) &&
+ #endif
+ strncmp(*cpp, "IFS=", 4))
+ *cpp2++ = *cpp;
+ }
+ *cpp2 = 0;
+ }
/*
-----------
Regards,
Mark Hittinger
Internet Manager
WinNET Communications, Inc.
bugs@win.net
