COMMAND

    /etc/slip.login

SYSTEMS AFFECTED

    Linux

PROBLEM

    We all  know that  you can  pass most  environment variables  to a
    login shell when  started through telnetd.  Assuming you have  the
    password for a sliplogin account on a Linux box, you can pass  the
    ENV variable in this fashion.

    The attack goes something like this:

        ENV='`/evil/command`' telnet
        telnet> environ export ENV
        telnet> open targethost

    You  then  log  into  your  regular  slip  account, which executes
    sliplogin  as  your  login  shell.  Sliplogin,  in  turn, runs the
    /etc/slip.login  shell  script  using   bash.  At  startup,   bash
    evaluates *and expands* ENV to  obtain the name of a  startup file
    to use instead of .bashrc, and faithfully executes  /evil/command.
    This is particularly nasty  since sliplogin runs the  login/logout
    scripts under the real  and effective uid of  root in order to  be
    able to manipulate network interfaces and routing tables. This bug
    has been reported by Olaf Kirch.

SOLUTION

    The fix in the new version of sliplogin is to clean out the entire
    environment, and pass only a predefined PATH variable when running
    slip.login or slip.logout.