Bug#4190: moderate security hole in telnetd

To: submit@bugs.debian.org
Subject: Bug#4190: moderate security hole in telnetd
From: Klee Dienes <klee@sedona.com>
Date: Sun, 18 Aug 1996 22:06:42 -0700
Message-id: <[🔎] 199608190506.WAA27619@sauron.sedona.com>
Reply-to: Klee Dienes <klee@sedona.com>, 4190@bugs.debian.org

Package: netstd
Version: 2.06-1

A bug currently making the rounds on the bugtraq mailing list:

The resolver library appears to allow the environment variable
RESOLV_HOST_CONF to be used to specify a pathname for an alternate
host.conf.  It also has the unfortunate behavior of printing the text
of any parse errors in the host.conf library to standard output (bad
karma for a system library, if you ask me).  This allows outsiders to
get the contents of any file over the network:

$ telnet 
telnet> env define RESOLV_HOST_CONF /etc/passwd
telnet> open localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Debian Linux 1.1
Copyright (C) 1993-1996 Debian Association, Inc. and others
resolv+: "root:M87U9DfM9eek:0:0:root:/root:/bin/bash" is an invalid keyword
resolv+: "daemon:*:1:1:daemon:/usr/sbin:/bin/sh" is an invalid keyword
resolv+: "bin:*:2:2:bin:/bin:/bin/sh" is an invalid keyword
resolv+: "sys:*:3:3:sys:/dev:/bin/sh" is an invalid keyword
[...]

A quick workaround is to change envarok() in telnetd/state.c as
appended.  My guess is that only telnetd needs to be changed for now,
as neither rlogin nor rsh (if I remember correctly) allow the client
to pass in environment variables.  All the programs should probably be
checked, though.

static int
envvarok(varp,valp)
	char *varp, *valp;
{
	if (strncmp(varp, "LD_", strlen("LD_")) &&
		strncmp(varp, "ELF_LD_", strlen("ELF_LD_")) &&
		strncmp(varp, "AOUT_LD_", strlen("AOUT_LD_")) &&
		strncmp(varp, "_RLD_", strlen("_RLD_")) &&
		!strchr(varp, '=') &&
		strcmp(varp, "LIBPATH") &&
		strcmp(varp, "ENV") &&
		strcmp(varp, "IFS")) {
		return 1;
	} else {
...

to:

static int
envvarok(varp,valp)
	char *varp, *valp;
{
	if (strncmp(varp, "LD_", strlen("LD_")) &&
		strncmp(varp, "ELF_LD_", strlen("ELF_LD_")) &&
		strncmp(varp, "AOUT_LD_", strlen("AOUT_LD_")) &&
		strncmp(varp, "_RLD_", strlen("_RLD_")) &&
		!strchr(varp, '=') &&
		strcmp(varp, "LIBPATH") &&
		strcmp(varp, "ENV") &&
		strcmp(varp, "RESOLV_HOST_CONF") &&
		strcmp(varp, "HOSTALIASES") &&
		strcmp(varp, "LOCALDOMAIN") &&
		strcmp(varp, "RES_OPTIONS") &&
		strcmp(varp, "IFS")) {
		return 1;
	} else {
...

Reply to:

Follow-Ups:
- Bug#4190: moderate security hole in telnetd
  - From: lists@lina.inka.de (Bernd Eckenfels)

Prev by Date: Uploaded: mount 2.5l-1
Next by Date: Re: Uploaded: mount 2.5l-1
Previous by thread: Re: Uploaded: mount 2.5l-1
Next by thread: Bug#4190: moderate security hole in telnetd
Index(es):
- Date
- Thread