Bug#4190: moderate security hole in telnetd

19 Aug 1996 05:58:54 -0000 

Package: netstd
Version: 2.06-1

A bug currently making the rounds on the bugtraq mailing list:

The resolver library appears to allow the environment variable
RESOLV_HOST_CONF to be used to specify a pathname for an alternate
host.conf.  It also has the unfortunate behavior of printing the text
of any parse errors in the host.conf library to standard output (bad
karma for a system library, if you ask me).  This allows outsiders to
get the contents of any file over the network:

$ telnet 
telnet> env define RESOLV_HOST_CONF /etc/passwd
telnet> open localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Debian Linux 1.1
Copyright (C) 1993-1996 Debian Association, Inc. and others
resolv+: "root:M87U9DfM9eek:0:0:root:/root:/bin/bash" is an invalid keyword
resolv+: "daemon:*:1:1:daemon:/usr/sbin:/bin/sh" is an invalid keyword
resolv+: "bin:*:2:2:bin:/bin:/bin/sh" is an invalid keyword
resolv+: "sys:*:3:3:sys:/dev:/bin/sh" is an invalid keyword
[...]

A quick workaround is to change envarok() in telnetd/state.c as
appended.  My guess is that only telnetd needs to be changed for now,
as neither rlogin nor rsh (if I remember correctly) allow the client
to pass in environment variables.  All the programs should probably be
checked, though.

static int
envvarok(varp,valp)
        char *varp, *valp;
{
        if (strncmp(varp, "LD_", strlen("LD_")) &&
                strncmp(varp, "ELF_LD_", strlen("ELF_LD_")) &&
                strncmp(varp, "AOUT_LD_", strlen("AOUT_LD_")) &&
                strncmp(varp, "_RLD_", strlen("_RLD_")) &&
                !strchr(varp, '=') &&
                strcmp(varp, "LIBPATH") &&
                strcmp(varp, "ENV") &&
                strcmp(varp, "IFS")) {
                return 1;
        } else {
...

to:

static int
envvarok(varp,valp)
        char *varp, *valp;
{
        if (strncmp(varp, "LD_", strlen("LD_")) &&
                strncmp(varp, "ELF_LD_", strlen("ELF_LD_")) &&
                strncmp(varp, "AOUT_LD_", strlen("AOUT_LD_")) &&
                strncmp(varp, "_RLD_", strlen("_RLD_")) &&
                !strchr(varp, '=') &&
                strcmp(varp, "LIBPATH") &&
                strcmp(varp, "ENV") &&
                strcmp(varp, "RESOLV_HOST_CONF") &&
                strcmp(varp, "HOSTALIASES") &&
                strcmp(varp, "LOCALDOMAIN") &&
                strcmp(varp, "RES_OPTIONS") &&
                strcmp(varp, "IFS")) {
                return 1;
        } else {
...

Reply via email to