Date: Sun, 15 Oct 2000 16:56:12 -0700 From: Kris Kennaway <kris@citusc.usc.edu> To: audit@freebsd.org Subject: telnetd patch Message-ID: <20001015165612.A17989@citusc17.usc.edu>
next in thread | raw e-mail | index | archive | help
Please review.. I think I caught all of the environment variables which the telnet binary listens to..LOCALDOMAIN and RES_OPTIONS are potential problems, but I don't really know what the impact of those are. LOCALDOMAIN seems to allow you to override what the default domain the resolver uses is, which may or may not be an issue for telnetd. Could someone check? Actually, I'm not sure if some of the locale variables should also be filtered out too.. It makes me uncomfortable only filtering out some environment variables and not filtering them all out and explicitly allowing some back in, but that would probably break too many things. Hopefully we don't screw ourselves later when another privileged environment variable is added to libc. Also fixed a couple of obvious buffer problems, dont think these are remotely exploitable. There are lots of other ones which need to be audited, but they dont seem to be playing with user input so they're probably okay (assuming theres a limit to the number of telnet options you can have turned on) Kris Index: sys_term.c =================================================================== RCS file: /usr/home/ncvs/src/libexec/telnetd/sys_term.c,v retrieving revision 1.24 diff -u -r1.24 sys_term.c --- sys_term.c 1999/08/28 00:10:24 1.24 +++ sys_term.c 2000/10/15 23:43:55 @@ -1799,6 +1799,13 @@ strncmp(*cpp, "_RLD_", 5) && strncmp(*cpp, "LIBPATH=", 8) && #endif + strncmp(*cpp, "LOCALDOMAIN=", 12) && + strncmp(*cpp, "RES_OPTIONS=", 12) && + strncmp(*cpp, "TERMINFO=", 9) && + strncmp(*cpp, "TERMINFO_DIRS=", 14) && + strncmp(*cpp, "TERMPATH=", 9) && + strncmp(*cpp, "TERMCAP=/", 9) && + strncmp(*cpp, "ENV=", 4) && strncmp(*cpp, "IFS=", 4)) *cpp2++ = *cpp; } Index: telnetd.c =================================================================== RCS file: /usr/home/ncvs/src/libexec/telnetd/telnetd.c,v retrieving revision 1.22 diff -u -r1.22 telnetd.c --- telnetd.c 2000/01/25 14:52:00 1.22 +++ telnetd.c 2000/10/15 23:23:29 @@ -811,7 +811,7 @@ fatal(net, "Out of ptys"); if ((pty = open(lp, 2)) >= 0) { - strcpy(line,lp); + strlcpy(line,lp,sizeof(line)); line[5] = 't'; break; } @@ -1115,7 +1115,7 @@ IM = Getstr("im", &cp); IF = Getstr("if", &cp); if (HN && *HN) - (void) strcpy(host_name, HN); + (void) strlcpy(host_name, HN, sizeof(host_name)); if (IF && (if_fd = open(IF, O_RDONLY, 000)) != -1) IM = 0; if (IM == 0) Index: utility.c =================================================================== RCS file: /usr/home/ncvs/src/libexec/telnetd/utility.c,v retrieving revision 1.13 diff -u -r1.13 utility.c --- utility.c 1999/08/28 00:10:25 1.13 +++ utility.c 2000/10/15 23:36:35 @@ -330,7 +330,7 @@ { char buf[BUFSIZ]; - (void) sprintf(buf, "telnetd: %s.\r\n", msg); + (void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg); (void) write(f, buf, (int)strlen(buf)); sleep(1); /*XXX*/ exit(1); @@ -343,7 +343,7 @@ { char buf[BUFSIZ], *strerror(); - (void) sprintf(buf, "%s: %s", msg, strerror(errno)); + (void) snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno)); fatal(f, buf); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001015165612.A17989>