From owner-freebsd-audit Sun Oct 15 19:10:32 2000 Delivered-To: freebsd-audit@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id B623A37B502 for ; Sun, 15 Oct 2000 19:10:30 -0700 (PDT) Received: by puck.firepipe.net (Postfix, from userid 1000) id CD9DD1957; Sun, 15 Oct 2000 21:11:34 -0500 (EST) Date: Sun, 15 Oct 2000 21:11:34 -0500 From: Will Andrews To: Kris Kennaway Cc: audit@FreeBSD.ORG Subject: Re: telnetd patch Message-ID: <20001015211134.Y95891@puck.firepipe.net> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Kris Kennaway , audit@FreeBSD.ORG References: <20001015165612.A17989@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001015165612.A17989@citusc17.usc.edu>; from kris@citusc.usc.edu on Sun, Oct 15, 2000 at 04:56:12PM -0700 X-Operating-System: FreeBSD 4.1-STABLE i386 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Oct 15, 2000 at 04:56:12PM -0700, Kris Kennaway wrote: > Please review.. Looks good to me. > I think I caught all of the environment variables which the telnet > binary listens to..LOCALDOMAIN and RES_OPTIONS are potential problems, > but I don't really know what the impact of those are. LOCALDOMAIN > seems to allow you to override what the default domain the resolver > uses is, which may or may not be an issue for telnetd. Could someone > check? Since telnet doesn't care about the name of the remote host (unlike ssh, where this could be exploited to allow "spoofed" hosts to use root via ssh key with a particular configuration), it probably doesn't matter. > It makes me uncomfortable only filtering out some environment > variables and not filtering them all out and explicitly allowing some > back in, but that would probably break too many things. Hopefully we > don't screw ourselves later when another privileged environment > variable is added to libc. Well, I'm not sure what you mean by "privileged environment variables". But there could be a standard "allowed environment variables" in libc that could be used to determine which privileged ones can be used by an app like telnet, and then allowing others it should use. > Also fixed a couple of obvious buffer problems, dont think these are > remotely exploitable. There are lots of other ones which need to be > audited, but they dont seem to be playing with user input so they're > probably okay (assuming theres a limit to the number of telnet options > you can have turned on) I hope getopt() DTRT, since that's where it gets options from. -- Will Andrews - Physics Computer Network wench The Universal Answer to All Problems - "It has something to do with physics." -- Comic on door of Room 240, Physics Building, Purdue University http://puck.firepipe.net/will/rm240.jpg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message