Date: Sun, 15 Oct 2000 21:11:34 -0500 From: Will Andrews <will@physics.purdue.edu> To: Kris Kennaway <kris@citusc.usc.edu> Cc: audit@FreeBSD.ORG Subject: Re: telnetd patch Message-ID: <20001015211134.Y95891@puck.firepipe.net> In-Reply-To: <20001015165612.A17989@citusc17.usc.edu>; from kris@citusc.usc.edu on Sun, Oct 15, 2000 at 04:56:12PM -0700 References: <20001015165612.A17989@citusc17.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 15, 2000 at 04:56:12PM -0700, Kris Kennaway wrote: > Please review.. Looks good to me. > I think I caught all of the environment variables which the telnet > binary listens to..LOCALDOMAIN and RES_OPTIONS are potential problems, > but I don't really know what the impact of those are. LOCALDOMAIN > seems to allow you to override what the default domain the resolver > uses is, which may or may not be an issue for telnetd. Could someone > check? Since telnet doesn't care about the name of the remote host (unlike ssh, where this could be exploited to allow "spoofed" hosts to use root via ssh key with a particular configuration), it probably doesn't matter. > It makes me uncomfortable only filtering out some environment > variables and not filtering them all out and explicitly allowing some > back in, but that would probably break too many things. Hopefully we > don't screw ourselves later when another privileged environment > variable is added to libc. Well, I'm not sure what you mean by "privileged environment variables". But there could be a standard "allowed environment variables" in libc that could be used to determine which privileged ones can be used by an app like telnet, and then allowing others it should use. > Also fixed a couple of obvious buffer problems, dont think these are > remotely exploitable. There are lots of other ones which need to be > audited, but they dont seem to be playing with user input so they're > probably okay (assuming theres a limit to the number of telnet options > you can have turned on) I hope getopt() DTRT, since that's where it gets options from. -- Will Andrews <will@physics.purdue.edu> - Physics Computer Network wench The Universal Answer to All Problems - "It has something to do with physics." -- Comic on door of Room 240, Physics Building, Purdue University http://puck.firepipe.net/will/rm240.jpg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001015211134.Y95891>