[6208] in Kerberos
Re: Telnet vulnerability--shared library loading
daemon@ATHENA.MIT.EDU (Vadim Kolontsov)
Sat Nov 11 05:19:33 1995
To: kerberos@MIT.EDU
Date: 11 Nov 1995 11:31:22 GMT
From: vadim@mailserv.tversu.ac.ru (Vadim Kolontsov)
Mark Hittinger (bugs@news.win.net) wrote:
: hartmans@MIT.EDU (Sam Hartman) writes:
: > Last Minute Update
: > The rest of this memo assumes that CERT released an advisory
: > Affected Telnetds
: > All telnetds derived from the Telnet package distributed by
: >David Borman allow the environment options to be passed.
: >* NetBSD and FreeBSD are distributed with a vulnerable
: > telnetd. (See below for patch info.)
: Below is a patch for 2.1-ish FreeBSD. I believe the 2.2-current has the
: fix and I'm hoping 2.1R will get the fix before it goes gold. Thanks to
: torstenb@freebsd.org for passing the fix on to me ahead of time :-)
As far as I know, FreeBSD uses path to shared librares, which stored
in /var/run/ld.so.hints file, instead using environment variables like LD_*.
You can change ls.so.hints with ldconfig, but you need root privelegies
to do it. If you define LD_*, new path only appended to info in ld.so.hints,
but not overwrites them.
May be, I can play with IFS= or something else, but not with LD_* (_IMHO_).
Example:
---------------------------------------------------
telnet> environ define LD_LIBRARY_PATH /tmp
telnet> environ define LD_PRELOAD /tmp
telnet> environ define LD_NOSTD_PATH /tmp
telnet> environ export LD_LIBRARY_PATH
telnet> environ export LD_PRELOAD
telnet> environ export LD_NOSTD_PATH
telnet> o localhost
Trying 127.0.0.1...
Connected to localhost.tversu.ac.ru.
Escape character is '^]'.
FreeBSD (mailserv) (ttyp3)
login:
---------------------------------------------------
Am I wrong?
Best regards, Vadim.
P.S. We use FreeBSD 2.0.5 RELEASE.
