Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_4

Bugtraq archives for 4th quarter (Oct-Dec) 1995: Re: Telnet attack on SGI

Re: Telnet attack on SGI

Christopher Davis (ckdloiosh.kei.com)
Fri, 3 Nov 1995 10:31:43 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Leyland: "Linux and DEC patches available for CA-95:14 Telnetd Vulnerability"
Previous message: *Hobbit*: "a point is being missed"
In reply to: Justin Mason: "Re: Telnet attack on SGI"
Next in thread: Edwin Kremer: "Re: Telnet attack on SGI"

-----BEGIN PGP SIGNED MESSAGE-----

JM> == Justin Mason <jmasoniona.ie>

 JM> The env vars that spring to mind as being useful accross a network are:
 JM> TZ, DISPLAY and TERM.

I'd probably add TERMCAP, and of course USER which is part of the
autologin stuff.  (If you send USER across without also sending Kerberos
authentication or whatever, you get just a password prompt... kind of like
rlogin, but with all of the functionality of telnet.)

 JM> Of course, to allow future enhancements, this should be a
 JM> configurable option for the telnetd.

Most definitely.

Here's my patch to telnet-95.10.23 (probably applies to .NE too, though
the line numbers might change) that implements the "only what is
explicitly permitted" behavior.  It's not configurable though.

The "KRB" blocking change in the "all is permitted except what's blocked"
code is for people using CNS with the Borman telnetd instead of the CNS
telnetd.

As with any PGP-signed patch, you'll need to trim off the "- " from some
lines to make patch recognize it.

- --- sys_term.c~       Mon Oct 23 10:47:17 1995
+++ sys_term.c  Thu Nov  2 10:41:40 1995
 -1823,10 +1823,20 
        register char **cpp, **cpp2;

        for (cpp2 = cpp = environ; *cpp; cpp++) {
+#ifdef INSUFFICIENTLY_PARANOID
                if (strncmp(*cpp, "LD_", 3) &&
                    strncmp(*cpp, "_RLD_", 5) &&
                    strncmp(*cpp, "LIBPATH=", 8) &&
+                   /* ckd addition 951102 */
+                   strncmp(*cpp, "KRB", 3) &&
                    strncmp(*cpp, "IFS=", 4))
+#else
+               if (strncmp(*cpp, "TZ=", 3) == 0 ||
+                   strncmp(*cpp, "USER=", 5) == 0 ||
+                   strncmp(*cpp, "TERM=", 5) == 0 ||
+                   strncmp(*cpp, "DISPLAY=", 8) == 0 ||
+                   strncmp(*cpp, "TERMCAP=", 8) == 0)
+#endif /* INSUFFICIENTLY_PARANOID */
                        *cpp2++ = *cpp;
        }
        *cpp2 = 0;

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQBVAwUBMJo11Xc8OGsDgp+JAQF3RwH+MN9JxA2sgDavemluAhPtyOHY3gyIx8EL
ni9dNFHIrs5O5mVUcRdAwtNiCN2c3DMS/eIo+UWGQtYmCJ7xuesnVw==
=H3P9
-----END PGP SIGNATURE-----

Next message: Paul Leyland: "Linux and DEC patches available for CA-95:14 Telnetd Vulnerability"
Previous message: *Hobbit*: "a point is being missed"
In reply to: Justin Mason: "Re: Telnet attack on SGI"
Next in thread: Edwin Kremer: "Re: Telnet attack on SGI"