Remote authentication bypass in telnetd

by
corbet
from LWN.net on (#72ZHS)
One would assume that most LWN readers stopped running network-accessibletelnet services some number of decades ago. For the rest of you, this security advisory fromSimon Josefsson is worthy of note:

The telnetd server invokes /usr/bin/login (normally running asroot) passing the value of the USER environment variable receivedfrom the client as the last parameter.

If the client supplies a carefully crafted USER environment valuebeing the string "-f root", and passes the telnet(1) -a or --loginparameter to send this USER environment to the server, the clientwill be automatically logged in as root bypassing normalauthentication processes.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments