Bug#4190: moderate security hole in telnetd

[Miquel van Smoorenburg <miquels@cistron.nl>]

You (Bernd Eckenfels) wrote:
> > A quick workaround is to change envarok() in telnetd/state.c as
> > appended.  My guess is that only telnetd needs to be changed for now,
> > as neither rlogin nor rsh (if I remember correctly) allow the client
> > to pass in environment variables.
> 
> Is this environment variable sourced for SUID/SGID programs, too? If yes,

Yep. If you have shadow, try this:

RESOLV_HOST_CONF=/etc/shadow ping localhost

> there can be situations where ppl can fake address/name mappings which would
> be otherwise trusted (cause they ae in /etc/hosts). Removing that feature
> sounds like the best solution....

That would be HOST_ALIASES, and that's on just about every BSD derived
system on the planet. (You can have fun with it though). That doesn't
look dangerous, btw; you can't change the reverse mappings.

This should be fixed in the library, I think. I see no real reason
for justifying these environment variables; nobody seemed to know they
were there in the first place (still, I think the telnet trick _was_
kind of neat).

Mike.
-- 
  Miquel van    | Cistron Internet Services   --    Alphen aan den Rijn.
  Smoorenburg,  | mailto:info@cistron.nl          http://www.cistron.nl/
miquels@het.net | Tel: +31-172-419445 (Voice) 430979 (Fax) 442580 (Data)