COMMAND
telnetd
SYSTEMS AFFECTED
CYGNUS
Digital Equipment
FreeBSD
Linux
MIT-distributed for Athena
NEC
NetBSD
Open Software Foundation
OpenVision
SGI
PROBLEM
Some telnet daemons support RFC 1408 or RFC 1572, both titled
"Telnet Environment Option." This extension to telnet provides
the ability to transfer environment variables from one system to
another. If the remote or targeted system, the one to which the
telnet is connecting, is running an RFC 1408/RFC 1572-compliant
telnet daemon *and* the targeted system also supports shared
object libraries, then it may be possible to transfer environment
variables that influence the login program called by the telnet
daemon. By influencing that targeted system, a user may be able
to bypass the normal login and authentication scheme and may
become root on that system.
Users with accounts on the targeted system can exploit this
vulnerability. Users without accounts on that system can also
exploit this vulnerability if they are first able to deposit an
altered shared object library onto the targeted system.
Therefore, a system may be vulnerable to users with and without
local accounts.
Not all systems that run an RFC 1408/RFC 1572-compliant telnet
daemon and support shared object libraries are vulnerable. Some
vendors have changed the trust model such that environment
variables provided by the telnet daemon are not trusted and
therefore are not used by the login program. Section III contains
a summary of information vendors have reported as of the date of
this advisory.
For Suns, the easiest way to check is this (using a modern
telnet client):
% telnet
telnet> env define LD_PRELOAD /no-such-file
telnet> env export LD_PRELOAD
telnet> open host
Trying A.B.C.D...
Connected to host.
Escape character is '^]'.
UNIX(r) System V Release 4.0 (host)
ld.so.1: login: fatal: /no-such-file: can't open file: errno=2
Connection closed by foreign host.
For IRIX :
# telnet
telnet> environ define _RLD_ROOT /tmp
telnet> environ export _RLD_ROOT
telnet> o localhost
Trying 127.0.0.1...
Connected to localhost.xxx.xxx.xxx
Escape character is '^]'.
IRIX System V.4 (xxx)
7480:login: rld: Fatal Error: cannot map soname 'libgen.so'
using any of the filenames
/tmp/usr/lib/libgen.so:/tmp/lib/libgen.so:
/tmp/lib/cmplrs/cc/libgen.so:/tmp/usr/lib/cmplrs/cc/libgen.so:
/tmp/usr/lib/libgen.so.1:/tmp/lib/libgen.so.1:
/tmp/lib/cmplrs/cc/libgen.so.1:/tmp/usr/lib/cmplrs/cc/libgen.so.1:
either the file does not exist or the file is not mappable (with
reason indica ted in previous msg) Connection closed by foreign
host. #
_RLD_ROOT isn't the only variable that the runtime linker will
understand, I just picked this one as a good example. If you do
a 'tog opt' in telnet before you open the connection to localhost
you can watch the option negotiation and see the _RLD_ROOT
variable being passed.
Paolo Rocchi posted following. The telnetd daemon installed under
DEC OSF/1 (v2.0 through V3.2c) is vulnerable to a local root
compromise and, if the user is "able to deposit an altered shared
object library onto the targeted system", to a remote root
compromise. Example codes have been publicly made available for
various operating systems. Starting from those sources it is
possible to obtain super-user privileges exploiting a particular
environment variable. Details follow:
file.c -> shared object source code (based upon existing examples)
To build the library under DEC OSF/1 V3.2:
cc -c file.c
ld -shared -no_archive -o file.so -set_version osf.1 file.o -lc
telnet> env def _RLD_LIST /tmp/file.so:DEFAULT
telnet> env exp _RLD_LIST
telnet> o localhost
SOLUTION
If you have installed a previous version of Mr. Borman's telnet
package, note that he has fixed this problem in the version
available at the following location:
ftp://ftp.cray.com/src/telnet/telnet.95.10.23.NE.tar.Z
CYGNUS Network Security V4 Free Network Release
===============================================
cns-95q1 is vulnerable. cns-95q4 is not vulnerable.
Customers can use the following URL to obtain the patch:
http://www.cygnus.com/data/cns/telnetdpatch.html
Digital Equipment Corporation
=============================
Digital's OSF/1 ia vulnerable, while ULTRIX not. Digital has
corrected this potential vulnerability. Patches containing new
images for Digital's OSF/1 platforms are being provided to
your normal Digital Support channels. The kits may be
identified as ECO SSRT0367 (telnetd) for DEC OSF/1 V2.0 thru
V3.2c
FreeBSD
=======
Patched in newer release.
Linux
=====
Newer versions corrected it. All Debian Installations that
use a netstd package version prior to v1.21-1 are vulnerable
netstd-1.21-1 and above are ok. There is also fix for RedHat
2.0 and Slackware.
MIT-distributed Athena telnet/telnet95
======================================
Patches available in:
ftp://aeneas.mit.edu/pub/kerberos/telnet-patch/
beta4-3.patch is the patch versus the Beta 4 patch level 3
distribution of Kerberos v5. beta5.patch is the patch versus
the Beta 5 distribution of Kerberos V5.
NEC Corporation
===============
Some NEC systems are vulnerable:
OS Version Patch
================ =========== ==============
EWS-UX/V(Rel4.2MP) R10.x NECmas001
UP-UX/V(Rel4.2MP) R5.x - R7.x NECu5s001
NECu6s001
NECu7s001
UX/4800 R11.x NECmbs002
NetBSD
======
NetBSD 1.0 is vulnerable; NetBSD 1.1 is not. Patch exists.
Open Software Foundation
========================
OSF/1 version 1.3 is not vulnerable.
OpenVision
==========
OpenVision has a patch for the telnetd in OpenV*Secure 1.2 and
will contact its customers directly.
Silicon Graphics
================
For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade
to 5.2 or better is required first. When the upgrade is completed
then the patches for IRIX 5.2, 5.3, 6.0, and 6.0.1 can be applied.
The patch is number 1020 and will install on IRIX 5.2, 5.3, 6.0
and 6.0.1. For the IRIX 6.1, an inst-able patch has been
generated and made available. The patch is number 1010 and will
install on IRIX 6.1.