Date: Sun, 15 Oct 2000 16:56:12 -0700 From: Kris Kennaway <kris@citusc.usc.edu> To: audit@freebsd.org Subject: telnetd patch Message-ID: <20001015165612.A17989@citusc17.usc.edu>
next in thread | raw e-mail | index | archive | help
Please review..
I think I caught all of the environment variables which the telnet
binary listens to..LOCALDOMAIN and RES_OPTIONS are potential problems,
but I don't really know what the impact of those are. LOCALDOMAIN
seems to allow you to override what the default domain the resolver
uses is, which may or may not be an issue for telnetd. Could someone
check?
Actually, I'm not sure if some of the locale variables should also be
filtered out too..
It makes me uncomfortable only filtering out some environment
variables and not filtering them all out and explicitly allowing some
back in, but that would probably break too many things. Hopefully we
don't screw ourselves later when another privileged environment
variable is added to libc.
Also fixed a couple of obvious buffer problems, dont think these are
remotely exploitable. There are lots of other ones which need to be
audited, but they dont seem to be playing with user input so they're
probably okay (assuming theres a limit to the number of telnet options
you can have turned on)
Kris
Index: sys_term.c
===================================================================
RCS file: /usr/home/ncvs/src/libexec/telnetd/sys_term.c,v
retrieving revision 1.24
diff -u -r1.24 sys_term.c
--- sys_term.c 1999/08/28 00:10:24 1.24
+++ sys_term.c 2000/10/15 23:43:55
@@ -1799,6 +1799,13 @@
strncmp(*cpp, "_RLD_", 5) &&
strncmp(*cpp, "LIBPATH=", 8) &&
#endif
+ strncmp(*cpp, "LOCALDOMAIN=", 12) &&
+ strncmp(*cpp, "RES_OPTIONS=", 12) &&
+ strncmp(*cpp, "TERMINFO=", 9) &&
+ strncmp(*cpp, "TERMINFO_DIRS=", 14) &&
+ strncmp(*cpp, "TERMPATH=", 9) &&
+ strncmp(*cpp, "TERMCAP=/", 9) &&
+ strncmp(*cpp, "ENV=", 4) &&
strncmp(*cpp, "IFS=", 4))
*cpp2++ = *cpp;
}
Index: telnetd.c
===================================================================
RCS file: /usr/home/ncvs/src/libexec/telnetd/telnetd.c,v
retrieving revision 1.22
diff -u -r1.22 telnetd.c
--- telnetd.c 2000/01/25 14:52:00 1.22
+++ telnetd.c 2000/10/15 23:23:29
@@ -811,7 +811,7 @@
fatal(net, "Out of ptys");
if ((pty = open(lp, 2)) >= 0) {
- strcpy(line,lp);
+ strlcpy(line,lp,sizeof(line));
line[5] = 't';
break;
}
@@ -1115,7 +1115,7 @@
IM = Getstr("im", &cp);
IF = Getstr("if", &cp);
if (HN && *HN)
- (void) strcpy(host_name, HN);
+ (void) strlcpy(host_name, HN, sizeof(host_name));
if (IF && (if_fd = open(IF, O_RDONLY, 000)) != -1)
IM = 0;
if (IM == 0)
Index: utility.c
===================================================================
RCS file: /usr/home/ncvs/src/libexec/telnetd/utility.c,v
retrieving revision 1.13
diff -u -r1.13 utility.c
--- utility.c 1999/08/28 00:10:25 1.13
+++ utility.c 2000/10/15 23:36:35
@@ -330,7 +330,7 @@
{
char buf[BUFSIZ];
- (void) sprintf(buf, "telnetd: %s.\r\n", msg);
+ (void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);
(void) write(f, buf, (int)strlen(buf));
sleep(1); /*XXX*/
exit(1);
@@ -343,7 +343,7 @@
{
char buf[BUFSIZ], *strerror();
- (void) sprintf(buf, "%s: %s", msg, strerror(errno));
+ (void) snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
fatal(f, buf);
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001015165612.A17989>