[6104] in Kerberos
Re: Telnet vulnerability--shared library loading
daemon@ATHENA.MIT.EDU (Mario Klebsch DG1AM)
Thu Nov 2 09:57:27 1995
To: kerberos@MIT.EDU
Date: 2 Nov 95 13:50:30 GMT
From: mkl@rob.cs.tu-bs.de (Mario Klebsch DG1AM)
Casper.Dik@Holland.Sun.COM (Casper H.S. Dik - Network Security Engineer) writes:
>Solaris 2.5 telnetd was fixed just in time for FCS.
>However, anyone running almost any alpha/beta version of Solaris 2.5
>is vulnerable to this problem.
>Solaris 2.4 and earlier Sun telnetds (including SunOS 4.x) did
>not pass environment variables other than $TERM.
>For Suns, the easiest way to check is this (using a modern telnet client):
>% telnet
>telnet> env define LD_PRELOAD /no-such-file
>telnet> env export LD_PRELOAD
>telnet> open host
LD_PRELOAD and login?
# ls -l `which login`
-r-sr-xr-x 1 root bin 27260 Jul 16 1994 /usr/bin/login
#
This has been a problem before. But I heared, they remove the LD_* env
variables now, when an suid root executable is started. Perhaps it
cannot determine, it is suid root, when it is started as root. But
then, running telnetd as nobody would cure the problem, wouldn't it?
73, Mario
--
Mario Klebsch, DG1AM, M.Klebsch@tu-bs.de +49 531 / 391 - 7457
Institut fuer Robotik und Prozessinformatik der TU Braunschweig
Hamburger Strasse 267, 38114 Braunschweig, Germany
