From owner-freebsd-security  Wed Mar 13 03:22:25 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id DAA23408
          for security-outgoing; Wed, 13 Mar 1996 03:22:25 -0800 (PST)
Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id DAA23399
          for <security@freebsd.org>; Wed, 13 Mar 1996 03:22:23 -0800 (PST)
Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id DAA10184; Wed, 13 Mar 1996 03:22:02 -0800
From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu>
Message-Id: <199603131122.DAA10184@kdat.calpoly.edu>
Subject: Re: CA-95:14
To: coredump@nervosa.com (invalid opcode)
Date: Wed, 13 Mar 1996 03:22:02 -0800 (PST)
Cc: security@freebsd.org
In-Reply-To: <Pine.BSF.3.91.960313004341.25236A-100000@nervosa.com> from "invalid opcode" at Mar 13, 96 00:44:16 am
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> On Tue, 12 Mar 1996, Tom Samplonius wrote:
> 
> >   Read more carefully.  The specified problem is in telnetd, not telnet.  
> >   I can't speak for 2.1R, but the problem is not in -stable or -current.
> > Tom
> 
> Sorry, my mistake. It appears that it is still present in -release, but 
> i've tried to exploit it here and no luck.
> 

It's easy to exploit.  Create your own shared library (man ld if you don't 
know how).  Pass in an LD_LIBRARY_PATH variable via the telnet environ command.
Login will use your library instead of the /usr/lib ones.

As for doing a strings on telnet and grepping for LD, that is an utter 
misunderstanding of the problem.  The problem isn't in telnet, strings wouldn't
show it, and it has nothing to do with LD variables specifically.  You can 
pass ANY environmental variable to login, which is the real problem.

-- 
Nate Lawson  \Yeah, I was dreaming through the 'howzlife', yawning, car black, 
CS-EE double  \when she told me 'mad and meaningless as ever...' and a song 
major,          \came on the radio like a cemetery rhyme for a million crying 
unaccredited     \corpses in their tragedy of respectable existence.  - BR