發信人: biff (大可), 信區: Security 

標  題: telnet hole 

發信站: 武漢白云黃鶴站 (Sun Jun 13 14:56:27 1999), 站內信件 

  

  

INTRODUCTION: 

Gday. This tar file contains a number of files that will allow you 

to get root access to between 40% to 70% of all Unix machines. 

  

  

  

telnetd_exploit.tar.gz 

  

  

  

  

It does this by exploiting a hole/feature in telnetd where environment 

variables are passed from the calling telnet client, to the recieving telnet 

daemon. These are normal env variables, such as TERM and TZ. However, there 

are a few which affect the runtime linker/loader (ld.so). These variables 

affect how ld.so finds and uses shared libraries. 

  

EXPLANATION: 

Most programs are written and compiled and only contain code the author has 

written. Standard functions such as printf and strncpy are stored in runtime 

libraries. When the program is initiated, a runtime linker adds in these 

little bits of code. The main benefit is that lots of work is saved. An 

author doesn't need to re-write printf every program he writes. These 

libraries of pre-written functions are called shared object libraries. When 

a program is written to use these, that program is called a dynamically 

linked program. That is it will dynamically load functions as and when it 

need them. 

  

We can exploit this hole in ld.so by specifying our own library functions. 

In fact, this code replaces two standard C library functions, openlog and 

getpass. 

  

getpass is used when a program wants a password to be entered, without 

echoing to the display. openlog was added because some systems have a 

different way of initiating logins. 

  

The main crux is that both of these functions are executed when login (which 

is called when telnetd finds an incoming connection) is running as root. Any 

code which is executed then will be executed as root. My two trojan 

functions simply execute /bin/sh as uid 0. 

  

getpass is used in a normal /bin/login and is called after you enter your 

login name. Some systems that use shadow passwording will find (if you 

examine the source) that getpass isn't used. To circumvent this, we add 

openlog which, if a site is shadowed is probably going to be compiled in. 

This is the default with the shadow setups I've seen. 

  

METHOD: 

  

Method One (If you have an account on the machine you want root on. Try this 

            first.) 

  

(1) gunzip and untar the source into a directory, eg /home/squidge/lib_hack 

(2) compile the programs by typing make all 

(3) wait 

(4) you will have a file /tmp/.libroot.so 

(5) type telnet 

(6) at the telnet> prompt, type env def LD_PRELOAD /tmp/.libroot.so 

    This tells telnet to pass the environment variable LD_PRELOAD to the 

    target machine. LD_PRELOAD points to our trojan library. 

(7) type open localhost 

(8) If you don't get a prompt bash#, but get login: type something like test 

    You should now be greeted with bash#. Type id and see you are root. 

    Note that telnetd will time you out, so make some attempt at a backdoor. 

  

Method Two (If you have no account on the target machine) 

  

(1) as above 

(2) as above, if you are running the same hardware as the target. If you are 

    on different processors, try compiling on a different machine. If you 

    know what you are doing, try changing the target architecture used by 

    gcc and ld. it is the -m flag with ld. 

(3) assuming you have the correct binary, open an ftp connection to the 

    target 

(4) using bin mode, upload your trojan library to the targets incoming 

    directory. 

(5) switch back to your machine, start telnet and specify the path of the 

    targets ftp directory as your LD_PRELOAD. On linux this is normally 

    /home/ftp/incoming. On others generally /var/ftp/incoming or 

    /etc/ftp/incoming. 

(6) as number 8 above. 

  

If you opt for method 2, you will need a pretty good idea of what is going 



on. It is not for the fainthearted. If demand is high, I may release a new 

set of .o files for different architectures. There should be no need. I can 

compile for Sun(SPARC), M68 and x86 on my linux box. So can you. 

  

HOW TO PROTECT: 

There are a few ways. If you have a statically linked login, then you are 

safe. setuid programs ignore LD_PRELOAD so one you have logged in, you 

cannot subvert the system. 

  

You can patch telnetd to wipe all but a few env variables. There are many 

widely pieces of available code to demonstrate this. 

  

FINALLY: 

  

Thats all I can think of. If you have any questions, email 

                         squidge@onyx.infonexus.com 

                            (The Guild homesite) 

  

  

--