Bugtraq mailing list archives

Re: Telnet attack on SGI

From: hartmans () MIT EDU (Sam Hartman)
Date: Wed, 1 Nov 1995 19:03:08 -0500

"Douglas" == Douglas Siebert <dsiebert () icaen uiowa edu> writes:



    Douglas> I'm curious exactly to see exactly how the various
    Douglas> vendors that have this vulnerability choose to fix it in
    Douglas> the long term.  In the short term, patching telnetd seems
    Douglas> to be the solution.  But what if the dynamic linker gets
    Douglas> a new variable in the future, and the people responsible
    Douglas> for that don't let the people responsible for telnetd
    Douglas> know?  A better fix, IMHO, would be some sort of way to
    Douglas> compile some executables without support for altering
    Douglas> paths in this way.  HP by default does not allow you to
    Douglas> modify the searching rules used for finding shared
    Douglas> libraries.  But with a linker option, you can allow the
    Douglas> environment variable SHLIB_PATH to modify the searching
    Douglas> rules.  Its a bit less flexible than, say, Sun or SGI,
    Douglas> but there are no worries about this sort of attack ever
    Douglas> being possible unless HP compiled system binaries with
    Douglas> this option, which they would of course be crazy to do.

        David Borman said he was working on an environment
configuration file that would allow you to restrict some varibles,
encode others so that you could run a short program (or build it into
login) to decode them and add to the environment, and allow other
variables like TERM through un-modified.  I would probably apply such
a solution to the Kerberos 5 telnetd when it becomes available; it
sounds like a better approach than limiting user flexibility.

        Ideally, there should be a way to pass environment variables
into login in some sort of sane way outside the environment and have
login add them.  I believe many sysv logins will allow you to specify
environment variables on the command line.  This might be worth
experimenting with--perhaps we could convince the BSD folks to add
this if it had useful security benefits.
    Douglas> -- Doug Siebert dsiebert () icaen uiowa edu

Current thread:

Re: Does the shared lib bug work on any suid program ?, (continued)
- - Re: Does the shared lib bug work on any suid program ? John Capo (Nov 03)
  - Re: Does the shared lib bug work on any suid program ? Justin Mason (Nov 06)
- a point is being missed *Hobbit* (Nov 03)
  - Re: a point is being missed Scott Barman (Nov 03)
  - Re: a point is being missed John Stewart (Nov 03)
  - Re: a point is being missed Douglas Siebert (Nov 03)
    - Re: a point is being missed Richard Todd (Nov 04)
  - Re: a point is being missed Casper Dik (Nov 04)
- Re: Telnet attack on SGI Edwin Kremer (Nov 09)
  - Re: Telnet attack on SGI Edwin Kremer (Nov 10)
- Re: Telnet attack on SGI Sam Hartman (Nov 01)
  - Re: Telnet attack on SGI Casper Dik (Nov 06)
- Re: Telnet attack on SGI Adrian (Nov 03)
- Re: Telnet attack on SGI Sam Hartman (Nov 03)
- Re: Telnet attack on SGI Michael/Miguel Sanchez (Nov 09)
- Re: Telnet attack on SGI Michael/Miguel Sanchez (Nov 10)