|
|
|
Credit:
The information has been provided by Tom Yu.
The original article can be found at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
|
|
Vulnerable Systems:
* telnetd in all releases of MIT krb5, up to and including krb5-1.6
Immune Systems:
* telnetd in all releases of MIT krb5 krb5-1.6.1
Impact:
A user can gain unauthorized access to any account (including root) on a host running telnetd. Whether the attacker needs to authenticate depends on the configuration of telnetd on that host.
Fixes:
* The upcoming krb5-1.6.1 release will contain a fix for this vulnerability.
Prior to that release you may:
* disable telnetd
or
* apply the patch
This patch is also available at http://web.mit.edu/kerberos/advisories/2007-001-patch.txt
A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-001-patch.txt.asc
*** src/appl/telnet/telnetd/state.c (revision 19480)
--- src/appl/telnet/telnetd/state.c (local)
***************
*** 1665,1671 ****
strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
strcmp(varp, "NLSPATH") && /* locale stuff */
strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS")) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
--- 1665,1672 ----
strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
strcmp(varp, "NLSPATH") && /* locale stuff */
strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS") &&
! !strchr(varp, '-')) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
*** src/appl/telnet/telnetd/sys_term.c (revision 19480)
--- src/appl/telnet/telnetd/sys_term.c (local)
***************
*** 1287,1292 ****
--- 1287,1302 ----
#endif
#if defined (AUTHENTICATION)
if (auth_level >= 0 && autologin == AUTH_VALID) {
+ if (name[0] == '-') {
+ /* Authenticated and authorized to log in to an
+ account starting with '-'? Even if that
+ unlikely case comes to pass, the current login
+ program will not parse the resulting command
+ line properly. */
+ syslog(LOG_ERR, "user name cannot start with '-'");
+ fatal(net, "user name cannot start with '-'");
+ exit(1);
+ }
# if !defined(NO_LOGIN_F)
#if defined(LOGIN_CAP_F)
argv = addarg(argv, "-F");
***************
*** 1377,1387 ****
} else
#endif
if (getenv("USER")) {
! argv = addarg(argv, getenv("USER"));
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
argv = addarg(argv, *cpp);
}
#endif
--- 1387,1405 ----
} else
#endif
if (getenv("USER")) {
! char *user = getenv("USER");
! if (user[0] == '-') {
! /* "telnet -l-x ..." */
! syslog(LOG_ERR, "user name cannot start with '-'");
! fatal(net, "user name cannot start with '-'");
! exit(1);
! }
! argv = addarg(argv, user);
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
+ if ((*cpp)[0] != '-')
argv = addarg(argv, *cpp);
}
#endif
CVE Information:
CVE-2007-0956
|
|
|
|