Bugtraq mailing list archives
Re: Telnet attack on SGI
From: hartmans () MIT EDU (Sam Hartman)
Date: Sat, 4 Nov 1995 00:16:32 -0500
The following message is a courtesy copy of an article that has been posted as well.
"Adam" == Adam Shostack <adam () bwh harvard edu> writes:
In article <199511021900.OAA03205 () cushing bwh harvard edu> Adam Shostack <adam () bwh harvard edu> writes: Adam> Doug Siebert wrote: | There are two ways I know of to Adam> protect against this attack until SGI has a | patch ready. Adam> One would be to write a wrapper that removes "dangerous" | Adam> environment variables. Obviously, figuring out which ones Adam> are dangerous is | the trick! Certainly anything that Adam> starts LD_ or _RLD should be | removed. But | there may Adam> always be others you don't know about. You'd take your Adam> wrapper and Adam> A wrapper should only pass 'trusted' and needed Adam> environment variables. TZ, LANG, TERMCAP and the like. Its Adam> much easier to figure out what you need than what you Adam> shouldn't trust. I fundamentally disagree. This denys the user the ability to add useful funcationality by using environment variables in shell scripts, etc. Basically, login needs to have a well-defined, documented interface, including all deppendencies--even dependencies on dynamic loading and the libc. Programs that login trust need to coordinate with this interface and make sure they do not violate it. It might also be useful for a mechanism to be added so that telnetd can tell login about "untrusted" environment variables, which login adds to the environment *after* the setuid call. Then, all environment variables passed by options could be considered untrusted. However, in order to maintain flexibility on the part of the system administrator, environment variables like LD_LIBRARY_PATH inherited from telnetd by inetd should be passed to login unmodified. Adam> Logdaemon is supposedly not affected by this; I Adam> suspect that that's because it already empties its Adam> environment. Good defensive code that. But uneffective against this attack. A program doesn't get a chance to empty its environment before ld.so examines it and loads the defective library. Adam> Adam Adam> -- "It is seldom that liberty of any kind is lost all at Adam> once." -Hume
Current thread:
- Re: a point is being missed, (continued)
- Re: a point is being missed Scott Barman (Nov 03)
- Re: a point is being missed John Stewart (Nov 03)
- Re: a point is being missed Douglas Siebert (Nov 03)
- Re: a point is being missed Richard Todd (Nov 04)
- Re: a point is being missed Casper Dik (Nov 04)
- Re: Telnet attack on SGI Edwin Kremer (Nov 09)
- Re: Telnet attack on SGI Edwin Kremer (Nov 10)
- Re: Telnet attack on SGI Sam Hartman (Nov 01)
- Re: Telnet attack on SGI Casper Dik (Nov 06)
- Re: Telnet attack on SGI Adrian (Nov 03)
- Re: Telnet attack on SGI Sam Hartman (Nov 03)
- Re: Telnet attack on SGI Michael/Miguel Sanchez (Nov 09)
- Re: Telnet attack on SGI Michael/Miguel Sanchez (Nov 10)