Re: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow

From: Paul Szabo (pszat_private)
Date: Thu Aug 09 2001 - 14:37:42 PDT

Next message: tiggerat_private: "Security Update: [CSSA-2001-SCO.10]: OpenServer: /etc/telnetd buffer overflow"

Previous message: Jerry Vogler: "RE: [iisanswers] IISAnswers Bulletin: NT4 Sites with Redirects can crash from Code Red"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

zen-parseat_private wrote:

> If the user has local access to the system, it is possible to get the
> program to set arbitrary environment variables in the environment of
> /bin/login. e.g. LD_PRELOAD=/tmp/make-rootshell.so

To protect against this (and possible bad environment processing within
telnetd itself), create some otherwise unused group and make /bin/login
setgid to that:

# chown root._login_ /bin/login
# chmod 6711 /bin/login
# ls -l /bin/login
-rws--s--x   1 root     _login_    24752 Aug 25  2000 /bin/login

(Since telnetd runs as root, login has getuid==geteuid so the OS may follow
LD_PRELOAD and similar variables. Using this login has getgid!=getegid and
the OS should disallow such trickery.)

Paul Szabo - pszat_private  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

Next message: tiggerat_private: "Security Update: [CSSA-2001-SCO.10]: OpenServer: /etc/telnetd buffer overflow"
Previous message: Jerry Vogler: "RE: [iisanswers] IISAnswers Bulletin: NT4 Sites with Redirects can crash from Code Red"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 15:51:43 PDT