Bugtraq mailing list archives

Re: Telnet attack on SGI

From: ckd () loiosh kei com (Christopher Davis)
Date: Fri, 3 Nov 1995 10:31:43 -0500


-----BEGIN PGP SIGNED MESSAGE-----

JM> == Justin Mason <jmason () iona ie>

 JM> The env vars that spring to mind as being useful accross a network are:
 JM> TZ, DISPLAY and TERM.

I'd probably add TERMCAP, and of course USER which is part of the
autologin stuff.  (If you send USER across without also sending Kerberos
authentication or whatever, you get just a password prompt... kind of like
rlogin, but with all of the functionality of telnet.)

 JM> Of course, to allow future enhancements, this should be a
 JM> configurable option for the telnetd.

Most definitely.

Here's my patch to telnet-95.10.23 (probably applies to .NE too, though
the line numbers might change) that implements the "only what is
explicitly permitted" behavior.  It's not configurable though.

The "KRB" blocking change in the "all is permitted except what's blocked"
code is for people using CNS with the Borman telnetd instead of the CNS
telnetd.

As with any PGP-signed patch, you'll need to trim off the "- " from some
lines to make patch recognize it.

- --- sys_term.c~       Mon Oct 23 10:47:17 1995
+++ sys_term.c  Thu Nov  2 10:41:40 1995
@@ -1823,10 +1823,20 @@
        register char **cpp, **cpp2;

        for (cpp2 = cpp = environ; *cpp; cpp++) {
+#ifdef INSUFFICIENTLY_PARANOID
                if (strncmp(*cpp, "LD_", 3) &&
                    strncmp(*cpp, "_RLD_", 5) &&
                    strncmp(*cpp, "LIBPATH=", 8) &&
+                   /* ckd addition 951102 */
+                   strncmp(*cpp, "KRB", 3) &&
                    strncmp(*cpp, "IFS=", 4))
+#else
+               if (strncmp(*cpp, "TZ=", 3) == 0 ||
+                   strncmp(*cpp, "USER=", 5) == 0 ||
+                   strncmp(*cpp, "TERM=", 5) == 0 ||
+                   strncmp(*cpp, "DISPLAY=", 8) == 0 ||
+                   strncmp(*cpp, "TERMCAP=", 8) == 0)
+#endif /* INSUFFICIENTLY_PARANOID */
                        *cpp2++ = *cpp;
        }
        *cpp2 = 0;

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQBVAwUBMJo11Xc8OGsDgp+JAQF3RwH+MN9JxA2sgDavemluAhPtyOHY3gyIx8EL
ni9dNFHIrs5O5mVUcRdAwtNiCN2c3DMS/eIo+UWGQtYmCJ7xuesnVw==
=H3P9
-----END PGP SIGNATURE-----

Current thread:

Telnet attack on SGI Douglas Siebert (Nov 01)
- Re: Telnet attack on SGI Robert A. Pickering Jr. (Nov 01)
- Re: Telnet attack on SGI Joe Hentzel (Nov 01)
- Re: Telnet attack on SGI Dr. Frederick B. Cohen (Nov 01)
- Re: Telnet attack on SGI Justin Mason (Nov 02)
  - Linux and DEC patches available for CA-95:14 Telnetd Vulnerability Paul Leyland (Nov 03)
  - Re: Telnet attack on SGI Christopher Davis (Nov 03)
  - SunOS syslog() fix, finally... Jay 'Whip' Grizzard (Nov 03)
    - Re: SunOS syslog() fix, finally... Casper Dik (Nov 04)
    - Re: SunOS syslog() fix, finally... Scott Barman (Nov 08)
    - Re: SunOS syslog() fix, finally... Jake Luck (Nov 09)
    - Re: SunOS syslog() fix, finally... Casper Dik (Nov 10)
    - Re: SunOS syslog() fix, finally... Jake Luck (Nov 10)
    - Re: SunOS syslog() fix, finally... Casper Dik (Nov 13)
    - Re: SunOS syslog() fix, finally... Brett Lymn (Nov 13)
    - ufsrestore suid root not a security hole Sean Vickery (Nov 16)
    - Re: SunOS syslog() fix, finally... Casper Dik (Nov 17)

(Thread continues...)