Bugtraq mailing list archives
Re: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow
From: psz () maths usyd edu au (Paul Szabo)
Date: Fri, 10 Aug 2001 07:37:42 +1000 (EST)
zen-parse () gmx net wrote:
If the user has local access to the system, it is possible to get the program to set arbitrary environment variables in the environment of /bin/login. e.g. LD_PRELOAD=/tmp/make-rootshell.so
To protect against this (and possible bad environment processing within telnetd itself), create some otherwise unused group and make /bin/login setgid to that: # chown root._login_ /bin/login # chmod 6711 /bin/login # ls -l /bin/login -rws--s--x 1 root _login_ 24752 Aug 25 2000 /bin/login (Since telnetd runs as root, login has getuid==geteuid so the OS may follow LD_PRELOAD and similar variables. Using this login has getgid!=getegid and the OS should disallow such trickery.) Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Current thread:
- ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow zen-parse (Aug 09)
- Re: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow bendik (Aug 09)
- <Possible follow-ups>
- Re: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow Paul Szabo (Aug 09)
- RE: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow Vidovic,Zvonimir,VEVEY,GL-IS/CIS (Aug 10)