Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Mar 1996 03:22:02 -0800 (PST)
From:      Nathan Lawson <nlawson@kdat.csc.calpoly.edu>
To:        coredump@nervosa.com (invalid opcode)
Cc:        security@freebsd.org
Subject:   Re: CA-95:14
Message-ID:  <199603131122.DAA10184@kdat.calpoly.edu>
In-Reply-To: <Pine.BSF.3.91.960313004341.25236A-100000@nervosa.com> from "invalid opcode" at Mar 13, 96 00:44:16 am

next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, 12 Mar 1996, Tom Samplonius wrote:
> 
> >   Read more carefully.  The specified problem is in telnetd, not telnet.  
> >   I can't speak for 2.1R, but the problem is not in -stable or -current.
> > Tom
> 
> Sorry, my mistake. It appears that it is still present in -release, but 
> i've tried to exploit it here and no luck.
> 

It's easy to exploit.  Create your own shared library (man ld if you don't 
know how).  Pass in an LD_LIBRARY_PATH variable via the telnet environ command.
Login will use your library instead of the /usr/lib ones.

As for doing a strings on telnet and grepping for LD, that is an utter 
misunderstanding of the problem.  The problem isn't in telnet, strings wouldn't
show it, and it has nothing to do with LD variables specifically.  You can 
pass ANY environmental variable to login, which is the real problem.

-- 
Nate Lawson  \Yeah, I was dreaming through the 'howzlife', yawning, car black, 
CS-EE double  \when she told me 'mad and meaningless as ever...' and a song 
major,          \came on the radio like a cemetery rhyme for a million crying 
unaccredited     \corpses in their tragedy of respectable existence.  - BR



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199603131122.DAA10184>