Re: Telnet attack on SGI

[fc () all net (Dr. Frederick B. Cohen)]

> There are two ways I know of to protect against this attack until SGI has a
> patch ready.  One would be to write a wrapper that removes "dangerous"
> environment variables.  Obviously, figuring out which ones are dangerous is
> the trick!  Certainly anything that starts LD_ or _RLD should be removed.  But
> there may always be others you don't know about.

The approach we have taken in our secure Web executable server (still
under test) is to only pass variables whose names start with 'W' and
remove any non-safe characters from variable assignments.  We then pass
the environment on to our executables.  This also eliminates other
sickness related to using the shell for (hah) secure applications (like
setting the IFS to K and sending rmK-rfK/ to a script interpreter).

The trick here is that variables we don't know about that don't start
with 'W' are not passed.  I would feel even better if it were omething
like World-Wide-Web-Sick-Variable but efficiency is worth something.

--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236