inetutils/telnet

CERT* Advisory CA-95.14

Original issue date: November 1, 1995
Last revised: October 30, 1997 - Updated vendor information for Sun. 

Description

Some telnet daemons support RFC 1408 or RFC 1572, both titled "Telnet 
Environment Option." This extension to telnet provides the ability to 
transfer environment variables from one system to another. If the remote 
or targeted system, the one to which the telnet is connecting, is 
running an RFC 1408/RFC 1572-compliant telnet daemon *and* the targeted 
system also supports shared object libraries, then it may be possible to 
transfer environment variables that influence the login program called 
by the telnet daemon. By influencing that targeted system, a user may be 
able to bypass the normal login and authentication scheme and may become 
root on that system. 

Users with accounts on the targeted system can exploit this 
vulnerability. Users without accounts on that system can also exploit 
this vulnerability if they are first able to deposit an altered shared 
object library onto the targeted system. Therefore, a system may be 
vulnerable to users with and without local accounts. 

Not all systems that run an RFC 1408/RFC 1572-compliant telnet daemon 
and support shared object libraries are vulnerable. Some vendors have 
changed the trust model such that environment variables provided by the 
telnet daemon are not trusted and therefore are not used by the login 
program. Section III contains a summary of information vendors have 
reported as of the date of this advisory. 
--------------------------------------