Bugtraq mailing list archives

RE: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow

From: "Vidovic,Zvonimir,VEVEY,GL-IS/CIS" <Zvonimir.Vidovic () nestle com>
Date: Fri, 10 Aug 2001 10:24:06 +0200

fortunately, the debian guys did this by default in their excellent distro,
this prevents lots of exploitable machines to be readily accessible.
However, apt-get update and upgrade does fix the breach.

-----Original Message-----
From: psz () maths usyd edu au [SMTP:psz () maths usyd edu au]
Sent: Thursday, 9. August 2001 23:38
To:   bugtraq () securityfocus com; zen-parse () gmx net
Subject:      Re:  ADV/EXP: netkit <=0.17 in.telnetd remote buffer
overflow

zen-parse () gmx net wrote:

If the user has local access to the system, it is possible to get the
program to set arbitrary environment variables in the environment of
/bin/login. e.g. LD_PRELOAD=/tmp/make-rootshell.so


To protect against this (and possible bad environment processing within
telnetd itself), create some otherwise unused group and make /bin/login
setgid to that:

# chown root._login_ /bin/login
# chmod 6711 /bin/login
# ls -l /bin/login
-rws--s--x   1 root     _login_    24752 Aug 25  2000 /bin/login

(Since telnetd runs as root, login has getuid==geteuid so the OS may
follow
LD_PRELOAD and similar variables. Using this login has getgid!=getegid and
the OS should disallow such trickery.)

Paul Szabo - psz () maths usyd edu au
http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006
Australia

Current thread:

ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow zen-parse (Aug 09)
- Re: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow bendik (Aug 09)
- <Possible follow-ups>
- Re: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow Paul Szabo (Aug 09)
- RE: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow Vidovic,Zvonimir,VEVEY,GL-IS/CIS (Aug 10)