Bug#4190: moderate security hole in telnetd
You (Bernd Eckenfels) wrote:
> > A quick workaround is to change envarok() in telnetd/state.c as
> > appended. My guess is that only telnetd needs to be changed for now,
> > as neither rlogin nor rsh (if I remember correctly) allow the client
> > to pass in environment variables.
>
> Is this environment variable sourced for SUID/SGID programs, too? If yes,
Yep. If you have shadow, try this:
RESOLV_HOST_CONF=/etc/shadow ping localhost
> there can be situations where ppl can fake address/name mappings which would
> be otherwise trusted (cause they ae in /etc/hosts). Removing that feature
> sounds like the best solution....
That would be HOST_ALIASES, and that's on just about every BSD derived
system on the planet. (You can have fun with it though). That doesn't
look dangerous, btw; you can't change the reverse mappings.
This should be fixed in the library, I think. I see no real reason
for justifying these environment variables; nobody seemed to know they
were there in the first place (still, I think the telnet trick _was_
kind of neat).
Mike.
--
Miquel van | Cistron Internet Services -- Alphen aan den Rijn.
Smoorenburg, | mailto:info@cistron.nl http://www.cistron.nl/
miquels@het.net | Tel: +31-172-419445 (Voice) 430979 (Fax) 442580 (Data)
Reply to: