From owner-freebsd-audit Sun Oct 15 16:54:23 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id D1EAA37B66C for ; Sun, 15 Oct 2000 16:54:20 -0700 (PDT) Received: (from kris@localhost) by citusc17.usc.edu (8.9.3/8.9.3) id QAA18002 for audit@freebsd.org; Sun, 15 Oct 2000 16:56:12 -0700 (PDT) Date: Sun, 15 Oct 2000 16:56:12 -0700 From: Kris Kennaway To: audit@freebsd.org Subject: telnetd patch Message-ID: <20001015165612.A17989@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Please review.. I think I caught all of the environment variables which the telnet binary listens to..LOCALDOMAIN and RES_OPTIONS are potential problems, but I don't really know what the impact of those are. LOCALDOMAIN seems to allow you to override what the default domain the resolver uses is, which may or may not be an issue for telnetd. Could someone check? Actually, I'm not sure if some of the locale variables should also be filtered out too.. It makes me uncomfortable only filtering out some environment variables and not filtering them all out and explicitly allowing some back in, but that would probably break too many things. Hopefully we don't screw ourselves later when another privileged environment variable is added to libc. Also fixed a couple of obvious buffer problems, dont think these are remotely exploitable. There are lots of other ones which need to be audited, but they dont seem to be playing with user input so they're probably okay (assuming theres a limit to the number of telnet options you can have turned on) Kris Index: sys_term.c =================================================================== RCS file: /usr/home/ncvs/src/libexec/telnetd/sys_term.c,v retrieving revision 1.24 diff -u -r1.24 sys_term.c --- sys_term.c 1999/08/28 00:10:24 1.24 +++ sys_term.c 2000/10/15 23:43:55 @@ -1799,6 +1799,13 @@ strncmp(*cpp, "_RLD_", 5) && strncmp(*cpp, "LIBPATH=", 8) && #endif + strncmp(*cpp, "LOCALDOMAIN=", 12) && + strncmp(*cpp, "RES_OPTIONS=", 12) && + strncmp(*cpp, "TERMINFO=", 9) && + strncmp(*cpp, "TERMINFO_DIRS=", 14) && + strncmp(*cpp, "TERMPATH=", 9) && + strncmp(*cpp, "TERMCAP=/", 9) && + strncmp(*cpp, "ENV=", 4) && strncmp(*cpp, "IFS=", 4)) *cpp2++ = *cpp; } Index: telnetd.c =================================================================== RCS file: /usr/home/ncvs/src/libexec/telnetd/telnetd.c,v retrieving revision 1.22 diff -u -r1.22 telnetd.c --- telnetd.c 2000/01/25 14:52:00 1.22 +++ telnetd.c 2000/10/15 23:23:29 @@ -811,7 +811,7 @@ fatal(net, "Out of ptys"); if ((pty = open(lp, 2)) >= 0) { - strcpy(line,lp); + strlcpy(line,lp,sizeof(line)); line[5] = 't'; break; } @@ -1115,7 +1115,7 @@ IM = Getstr("im", &cp); IF = Getstr("if", &cp); if (HN && *HN) - (void) strcpy(host_name, HN); + (void) strlcpy(host_name, HN, sizeof(host_name)); if (IF && (if_fd = open(IF, O_RDONLY, 000)) != -1) IM = 0; if (IM == 0) Index: utility.c =================================================================== RCS file: /usr/home/ncvs/src/libexec/telnetd/utility.c,v retrieving revision 1.13 diff -u -r1.13 utility.c --- utility.c 1999/08/28 00:10:25 1.13 +++ utility.c 2000/10/15 23:36:35 @@ -330,7 +330,7 @@ { char buf[BUFSIZ]; - (void) sprintf(buf, "telnetd: %s.\r\n", msg); + (void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg); (void) write(f, buf, (int)strlen(buf)); sleep(1); /*XXX*/ exit(1); @@ -343,7 +343,7 @@ { char buf[BUFSIZ], *strerror(); - (void) sprintf(buf, "%s: %s", msg, strerror(errno)); + (void) snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno)); fatal(f, buf); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Oct 15 19:10:32 2000 Delivered-To: freebsd-audit@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id B623A37B502 for ; Sun, 15 Oct 2000 19:10:30 -0700 (PDT) Received: by puck.firepipe.net (Postfix, from userid 1000) id CD9DD1957; Sun, 15 Oct 2000 21:11:34 -0500 (EST) Date: Sun, 15 Oct 2000 21:11:34 -0500 From: Will Andrews To: Kris Kennaway Cc: audit@FreeBSD.ORG Subject: Re: telnetd patch Message-ID: <20001015211134.Y95891@puck.firepipe.net> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Kris Kennaway , audit@FreeBSD.ORG References: <20001015165612.A17989@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001015165612.A17989@citusc17.usc.edu>; from kris@citusc.usc.edu on Sun, Oct 15, 2000 at 04:56:12PM -0700 X-Operating-System: FreeBSD 4.1-STABLE i386 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Oct 15, 2000 at 04:56:12PM -0700, Kris Kennaway wrote: > Please review.. Looks good to me. > I think I caught all of the environment variables which the telnet > binary listens to..LOCALDOMAIN and RES_OPTIONS are potential problems, > but I don't really know what the impact of those are. LOCALDOMAIN > seems to allow you to override what the default domain the resolver > uses is, which may or may not be an issue for telnetd. Could someone > check? Since telnet doesn't care about the name of the remote host (unlike ssh, where this could be exploited to allow "spoofed" hosts to use root via ssh key with a particular configuration), it probably doesn't matter. > It makes me uncomfortable only filtering out some environment > variables and not filtering them all out and explicitly allowing some > back in, but that would probably break too many things. Hopefully we > don't screw ourselves later when another privileged environment > variable is added to libc. Well, I'm not sure what you mean by "privileged environment variables". But there could be a standard "allowed environment variables" in libc that could be used to determine which privileged ones can be used by an app like telnet, and then allowing others it should use. > Also fixed a couple of obvious buffer problems, dont think these are > remotely exploitable. There are lots of other ones which need to be > audited, but they dont seem to be playing with user input so they're > probably okay (assuming theres a limit to the number of telnet options > you can have turned on) I hope getopt() DTRT, since that's where it gets options from. -- Will Andrews - Physics Computer Network wench The Universal Answer to All Problems - "It has something to do with physics." -- Comic on door of Room 240, Physics Building, Purdue University http://puck.firepipe.net/will/rm240.jpg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Oct 15 21: 6:57 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 2C43137B66C for ; Sun, 15 Oct 2000 21:06:56 -0700 (PDT) Received: (from kris@localhost) by citusc17.usc.edu (8.9.3/8.9.3) id VAA26401; Sun, 15 Oct 2000 21:08:46 -0700 (PDT) Date: Sun, 15 Oct 2000 21:08:45 -0700 From: Kris Kennaway To: Will Andrews Cc: audit@FreeBSD.ORG Subject: Re: telnetd patch Message-ID: <20001015210845.A26381@citusc17.usc.edu> References: <20001015165612.A17989@citusc17.usc.edu> <20001015211134.Y95891@puck.firepipe.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001015211134.Y95891@puck.firepipe.net>; from will@physics.purdue.edu on Sun, Oct 15, 2000 at 09:11:34PM -0500 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Oct 15, 2000 at 09:11:34PM -0500, Will Andrews wrote: > Since telnet doesn't care about the name of the remote host (unlike > ssh, where this could be exploited to allow "spoofed" hosts to use root > via ssh key with a particular configuration), it probably doesn't matter. The kind of thing I'm worried about is bypassing host-based access checks and logging incorrect host data since you can make telnetd think the local machine lives in a domain of your choosing, and it will query your DNS server to resolve any address information. > > It makes me uncomfortable only filtering out some environment > > variables and not filtering them all out and explicitly allowing some > > back in, but that would probably break too many things. Hopefully we > > don't screw ourselves later when another privileged environment > > variable is added to libc. > > Well, I'm not sure what you mean by "privileged environment variables". > But there could be a standard "allowed environment variables" in libc > that could be used to determine which privileged ones can be used by an > app like telnet, and then allowing others it should use. Things which are normally denied behind issetugid() because they shouldn't be allowed when running with privileges, but which dont get caught in programs like telnetd because it's run as root directly, not run setuid to root (and therefore it's not issetugid()). > I hope getopt() DTRT, since that's where it gets options from. telnet protocol options, not command-line options. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Oct 20 8:28:45 2000 Delivered-To: freebsd-audit@freebsd.org Received: from mailout06.sul.t-online.com (mailout06.sul.t-online.com [194.25.134.19]) by hub.freebsd.org (Postfix) with ESMTP id 9EF1B37B4E5 for ; Fri, 20 Oct 2000 08:28:41 -0700 (PDT) Received: from fmrl02.sul.t-online.de by mailout06.sul.t-online.com with smtp id 13me4r-0005ln-00; Fri, 20 Oct 2000 17:27:25 +0200 Received: from neutron.cichlids.com (520050424122-0001@[62.156.17.79]) by fmrl02.sul.t-online.com with esmtp id 13me4l-1sVVkOC; Fri, 20 Oct 2000 17:27:19 +0200 Received: from cichlids.cichlids.com (cichlids.cichlids.com [192.168.0.10]) by neutron.cichlids.com (Postfix) with ESMTP id 3EED1AB91; Fri, 20 Oct 2000 17:29:34 +0200 (CEST) Received: by cichlids.cichlids.com (Postfix, from userid 1001) id 2A8D614B32; Fri, 20 Oct 2000 17:27:22 +0200 (CEST) Date: Fri, 20 Oct 2000 17:27:21 +0200 To: Kris Kennaway Cc: audit@FreeBSD.ORG Subject: Re: telnetd patch Message-ID: <20001020172721.A43072@cichlids.cichlids.com> References: <20001015165612.A17989@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001015165612.A17989@citusc17.usc.edu>; from kris@citusc.usc.edu on Sun, Oct 15, 2000 at 04:56:12PM -0700 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. From: alex@big.endian.de (Alexander Langer) X-Sender: 520050424122-0001@t-dialin.net Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thus spake Kris Kennaway (kris@citusc.usc.edu): > I think I caught all of the environment variables which the telnet > binary listens to..LOCALDOMAIN and RES_OPTIONS are potential problems, > but I don't really know what the impact of those are. LOCALDOMAIN > seems to allow you to override what the default domain the resolver > uses is, which may or may not be an issue for telnetd. Could someone > check? If there is a way to exploit the ENV of the superuser, then it is, since LOCALDOMAIN affects such things as you mentioned in the answer to Will's mail. However, I'm not sure if setting these to "" is the correct way, since it just breaks the behaviour. Users expect the DNS library to pay attention to LOCALDOMAIN and RES_OPTIONS. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message