Bugtraq mailing list archives
Re: Telnet attack on SGI
From: hartmans () MIT EDU (Sam Hartman)
Date: Wed, 1 Nov 1995 19:03:08 -0500
"Douglas" == Douglas Siebert <dsiebert () icaen uiowa edu> writes:
Douglas> I'm curious exactly to see exactly how the various Douglas> vendors that have this vulnerability choose to fix it in Douglas> the long term. In the short term, patching telnetd seems Douglas> to be the solution. But what if the dynamic linker gets Douglas> a new variable in the future, and the people responsible Douglas> for that don't let the people responsible for telnetd Douglas> know? A better fix, IMHO, would be some sort of way to Douglas> compile some executables without support for altering Douglas> paths in this way. HP by default does not allow you to Douglas> modify the searching rules used for finding shared Douglas> libraries. But with a linker option, you can allow the Douglas> environment variable SHLIB_PATH to modify the searching Douglas> rules. Its a bit less flexible than, say, Sun or SGI, Douglas> but there are no worries about this sort of attack ever Douglas> being possible unless HP compiled system binaries with Douglas> this option, which they would of course be crazy to do. David Borman said he was working on an environment configuration file that would allow you to restrict some varibles, encode others so that you could run a short program (or build it into login) to decode them and add to the environment, and allow other variables like TERM through un-modified. I would probably apply such a solution to the Kerberos 5 telnetd when it becomes available; it sounds like a better approach than limiting user flexibility. Ideally, there should be a way to pass environment variables into login in some sort of sane way outside the environment and have login add them. I believe many sysv logins will allow you to specify environment variables on the command line. This might be worth experimenting with--perhaps we could convince the BSD folks to add this if it had useful security benefits. Douglas> -- Doug Siebert dsiebert () icaen uiowa edu
Current thread:
- Re: Does the shared lib bug work on any suid program ?, (continued)
- Re: Does the shared lib bug work on any suid program ? John Capo (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Justin Mason (Nov 06)
- a point is being missed *Hobbit* (Nov 03)
- Re: a point is being missed Scott Barman (Nov 03)
- Re: a point is being missed John Stewart (Nov 03)
- Re: a point is being missed Douglas Siebert (Nov 03)
- Re: a point is being missed Richard Todd (Nov 04)
- Re: a point is being missed Casper Dik (Nov 04)
- Re: Telnet attack on SGI Edwin Kremer (Nov 09)
- Re: Telnet attack on SGI Edwin Kremer (Nov 10)
- Re: Telnet attack on SGI Sam Hartman (Nov 01)
- Re: Telnet attack on SGI Casper Dik (Nov 06)
- Re: Telnet attack on SGI Adrian (Nov 03)
- Re: Telnet attack on SGI Sam Hartman (Nov 03)
- Re: Telnet attack on SGI Michael/Miguel Sanchez (Nov 09)
- Re: Telnet attack on SGI Michael/Miguel Sanchez (Nov 10)