Exploit world!

Solaris Section

Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse

Xaw and Xterm vulnerabilities
Description:There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin
Compromise: root (local)
Vulnerable Systems:Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable.
Date:4 May 1998
Notes:I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out!
Exploit &amp full info:Available here

ID games Backdoor in quake
Description:ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet and containing the password "tms" are automaticly executed on the server without being logged.
Author:Mark Zielinski <markz@repsec.com>
Compromise: root (remote)
Vulnerable Systems:Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected
Date:1 May 1998
Notes:Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity.
Exploit &amp full info:Available here

Overflow in kppp -c option
Description:Standard overflow
Author:"|[TDP]|" <tdp@psynet.net>
Compromise: root (local)
Vulnerable Systems:Those running kppp version < 1.1.3 suid root. This comes with the KDE system (which is pretty neat -- www.kde.org) and runs on Solaris, Linux, IRIX, and HP/UX
Date:29 April 1998
Notes:The hole was fixed a while prior to this posting so the (then) current version was not vulnerable.
Exploit &amp full info:Available here

Overflows in Solaris ufsdump and ufsrestore binaries
Description:Standard buffer overflow (in device name passed as arguments)
Author:Seth McGann <smm@WPI.EDU>
Compromise:Get UID of tty (local)
Vulnerable Systems:Solaris 2.6/SPARC, opinions differed on whether 2.6/X86 is vulnerable.
Date:23 April 1998
Exploit &amp full info:Available here

lprm Linux/BSD/Solaris Overflow
Description:The lprm program on some machines has a standard overflow in the name you feed it to remove a job from a remote printer
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK> posted this problem to BugTraq, it turns out the the OpenBSD folks (probably Theo De Raadt) fixed the problem in 1996.
Compromise: root (local)
Vulnerable Systems:RedHat Linux 4.2 and 5.0, Solaris 2.6, Some *BSD variants vulnerable, but most fixed it 6 months to two years prior to this notice
Date:18 April 1998
Exploit &amp full info:Available here

MGE UPS serious security holes
Description:Standard security holes are plentiful in the MGE UPS software
Author:Ryan Murray <rmurray@PC-42839.BC.ROGERS.WAVE.CA>
Compromise: root (local)
Vulnerable Systems:Those running vulnerable versions of MGE UPS software. It apparently runs on Solaris, AIX, SCO, etc.
Date:12 April 1998
Exploit &amp full info:Available here

Majordomo tmpfile bug
Description:Standard tmpfile problem
Author:Karl G - NOC Admin <ovrneith@tqgnet.com>
Compromise:Any user on a system running majordomo can append arbitrary data to any file owned by the majordomo account.
Vulnerable Systems:Those running majordomo. This runs on a ton of systems (Solaris, Linux, IRIX, etc.).
Date:26 March 1998
Exploit &amp full info:Available here

Another MSIE 4.0 overflow
Description:Standard overflow, this one can almost certainly be exploited by a malicious page to run arbitrary code on a user's system.
Author:Georgi Guninski <guninski@hotmail.com>
Compromise:Run arbitrary code on the machines of Windows users connecting to your web page.
Vulnerable Systems:Windows 95/NT running MSIE 4.0. Perhaps even the Solaris version is vulnerable, though I've never seen anyone run it.
Date:20 March 1998
Exploit &amp full info:Available here

Solaris 2.6 printd tmpfile problem
Description:Standard insecure tmpfile hole
Author:Silicosis <sili@l0pht.com>
Compromise:unprivileged users can overwrite and create system files and print files they shouldn't be able to read.
Vulnerable Systems:Solaris 2.6
Date:11 March 1998
Exploit &amp full info:Available here

updatedb on Redhat
Description:RedHat Linux updatedb/sort insecure tmpfiles
Author:viinikala <kala@DRAGON.CZ>
Compromise:become user 'nobody' via updatedb (or root on a really old distro of RedHat) (local)
Vulnerable Systems:Redhat Linux (presumably 5.0) is very vulnerable due to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the same updatedb problem.
Date:28 February 1998
Notes:Dave Goldsmith may have found this first, although I cannot currently access his website for more info.
Exploit &amp full info:Available here

Solaris /usr/dt/bin/dtappgather symlink problem.
Description:Standard symlink problem allows arbitrary files to be chowned the the attacker's UID.
Author:Mastoras <mastoras@PAPARI.HACK.GR>
Compromise: root (local)
Vulnerable Systems:Solaris 2.5,2.5.1 running CDE version 1.0.2 with suid /usr/dt/bin/dtappgather
Date:23 February 1998
Exploit &amp full info:Available here

Exploit for the gcc tempfile issue
Description:gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc
Author:"Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl>
Compromise:Overwrite files owned by the user running gcc (possibly root )
Vulnerable Systems:Those running gcc 2.7.2.x this includes most linux, and *BSD boxes. Many admins of Solaris boxes have also added gcc. This problem is finally fixed in gcc 2.8.0
Date:16 January 1998
Notes:This has been mentioned before on Bugtraq but this is the first actual exploit I've seen.
Exploit &amp full info:Available here

Sun ^D DOS attack
Description:By connecting to the telnet port of a Solaris 2.5.1 box, sending some bogus telnet negotiation option and then flooding the channel with ^D, you can (temporarily) slow the machine to a near halt.
Author:Jason Zapman II <zapman@CC.GATECH.EDU>
Compromise:remote DOS attack
Vulnerable Systems:Solaris 2.5.1, 2.6
Date:13 December 1997
Notes:I appended a better version after the first (the second forks extra processes to increase the flood). I also appended an NT port.
Exploit &amp full info:Available here

Solaris 2.5.1 automound hole
Description:standard popen() hole
Compromise: root (local)
Vulnerable Systems:Solaris 2.5.1 without patch 10465[45] applie
Date:26 November 1997
Exploit &amp full info:Available here

Solaris Statd exploit
Description:Solaris 2.5.1 x86 remote overflow for statd. There is apparently an earlier patch which doesn't fix the problem.
Compromise: root (remote)
Vulnerable Systems:Solaris 2.5.1 x86 is what this exploit is written for. According to a later CERT advisory, vulnerable systems include Digital UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS 4.1.* for both X86 and SPARC
Date:24 November 1997
Exploit &amp full info:Available here

Terminal hijacking via pppd
Description:pppd offers read/write access to any tty. This allows a man in the middle attack for trojan terminals as well as other mischief. Also it allows users to freely dial out with the modem (often not a good idea).
Author:David Neil <theoe@EUROPA.COM>
Compromise:Hijack terminals, dial arbitrary numbers with the modem, other mischief.
Vulnerable Systems:Those running pppd. Many linunx boxes, perhaps some BSD, solaris.
Date:15 November 1997
Exploit &amp full info:Available here

Overflow in suidperl 5.003
Description:Overflow (via sprintf()) in the mess() function in suidperl
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Thos running suid-perl 5.003, this includes many Linux, *BSD, Solaris and UNIX boxes in general.
Date:13 November 1997
Exploit &amp full info:Available here

Security Dynamics FTP server core problem
Description:It is possible to cause this server to dump core while ftping in. The core file will clobber files and also contains crypt(3)ed passwords.
Author:sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise: root (local)
Vulnerable Systems:Solaris 2.5 running Security Dynamics' FTP server (Version 2.2) perhaps other versions.
Date:12 November 1997
Exploit &amp full info:Available here

Core bug in the Security Dynamics ftp server
Description:typical core file bug
Author:sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise: root (local)
Vulnerable Systems:Those running the Security Dynamics FTP server (Version 2.2). This is available at least for solaris boxes.
Date:12 November 1997
Exploit &amp full info:Available here

BRU (Backup and Recovery Utility) poor permissions
Description:This commercial UNIX backup program creates the /usr/local/lib/bru directory mode 777. This directory apparently contains sources. Enough said.
Author:Kyle Amon <amonk@GNUTEC.COM>
Compromise: root (local)
Vulnerable Systems:Any running vulnerable version of BRU (There is a Linux version, probably also Solaris and other *NIX).
Date:8 November 1997
Exploit &amp full info:Available here

Intel "f00f" Pentium bug
Description:A bug in the Intel Pentium (and Pentium + MMX) chips allows usermode processes to crash the system by executing the invalid instruction 0xf00fc7c8
Author:Sent through an anonymous remailer
Compromise:Users who can run code on the system can totally freeze the system
Vulnerable Systems:Those running on a Pentium including versions of Linux, Dos, WinNT, Win95, SolarisX86, etc.
Date:8 November 1997
Exploit &amp full info:Available here

ftp mget vulnerability
Description:If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to execute arbitrary commands.
Author:I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware
Compromise:ftp servers can compromise clients who use mget to d/l files
Vulnerable Systems:ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems
Date:3 November 1997 was when this example was posted (the bug was found a while back)
Exploit &amp full info:Available here

Kill syslogd remotely on solaris boxes
Description:There is a problem where syslogd will crash if it can't do a DNS lookup on the source IP it get the message from.
Compromise:Kill syslogd (I'm sure hackers would love to do that before launchign a real attack)
Vulnerable Systems:Solaris 2.5, 2.51 both Sparc and x86
Date:21 October 1997
Exploit &amp full info:Available here

SunOS rlogin overflow
Description:Aparrently an overflow in parsing argv
Author:I have no clue, _PHANTOM_ <phantom@lhab-gw.soroscj.ro> sent it to me
Compromise: root (apparently) (local)
Vulnerable Systems:SunOS
Date:8 September 1997
Notes:Someone confirmed to me that this works with Solaris 2.5.1 but not 2.6. Anyoen care to try SunOS 4.x?
Exploit &amp full info:Available here

Check for existance of files on systems runninng mountd
Description:Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not.
Author:Peter <deviant@UNIXNET.ORG>
Compromise:query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system.
Vulnerable Systems:Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc.
Date:24 August 1997
Exploit &amp full info:Available here

Solaris dtlogin core vulnerability
Description:Dtlogin apparently explicityly sets its umask 027 and when it dumps core it can leave both encrypted and UNENCRYPTED passwords of remote users available via 'strings'.
Author:Arve Kjoelen <akjoele@SIUE.EDU>
Compromise:Narf passwords from dtlogin /core
Vulnerable Systems:Solaris 2.5.1 CDE with vulnerable dtlogin.
Date:24 July 1997
Exploit &amp full info:Available here

ld-linux.so.1.9.2 overflow
Description:Error handling code in ld.so has a buffer overflow problem. This exploit uses LD_PRELOAD to get by various problems with other methods.
Author:Was originally a KSR[T] Advisory (#2), exploit written by Dan McGuirk <mcguirk@INDIRECT.COM>
Compromise: root (local)
Vulnerable Systems:Linux boxes running ld-linux.so.1.9.2. Various people have suggested that the solaris /usr/lib/libdl.so may have a similar vulnerability. If anyone has any info on this, please mail me.
Date:19 July 1997
Notes:I've put another exploit in the addendum
Exploit &amp full info:Available here

Overflow in solaris passwd (and yppasswd and nispasswd)
Description:Standard overflows
Author:Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise: root (local)
Vulnerable Systems:Solaris 2.X, including 2.4 and 2.5
Date:12 July 1997
Notes:I somehow missed this in my collection, thanks to the fellow (who wishes to be anonymous) who reminded me of this beauty!
Exploit &amp full info:Available here

SunOS 4.x overflows! This example is for xterm
Description:Willy has created SunOS 4.x buffer overflow code, and gives the appended example, which overflows the X libraries.
Author:Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Compromise: root (local)
Vulnerable Systems:SunOS 4.x for this particular exploit. Many other systems are vulnerable (see my other pages on the topic).
Date:8 July 1997
Notes:This is in uuencoded form. Be sure to copy & paste, don't save as a file because it has html codez in it.
Exploit &amp full info:Available here

Solaris local ping DOS attack
Description:You can reboot solaris boxes with ping -sv -i
Author:Adam Caldwell <adam@ATL.ENI.NET>
Compromise:Stupid DOS attack, plus you need to be a local user.
Vulnerable Systems:Apparently all versions of Solaris up to (but not including) 2.6
Date:26 June 1997
Exploit &amp full info:Available here

Solaris root socket descriptor bug
Description:You can swipe control of a root owned socket descriptor from user-owned inetd processes like rshd.
Author:Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Compromise:control of a root owned socket
Vulnerable Systems:Solaris 2.5.1, probably earlier versions. I hear that 2.6 if fixed. Sun doesn't seem interested in fixing this, for some reason.
Date:19 June 1997 was the data of this post, although Alan has been complaining about the bug for ages.
Notes:You may have to change your interface to le0, hme0, or whatever to make it work.
Exploit &amp full info:Available here

Solaris rpcbind listens on undocumented high UDP port
Description:rcpbind for solaris, which belongs on UDP port 111, is also found on a UDP port above 32770. Thus many packet filters aren't effective.
Author:Oliver Friedrichs <oliver@silence.secnet.com> (Secure Networks Inc.)
Compromise:Access rcpbind, even from sites that filter it at their firwall or packet filter.
Vulnerable Systems:Unpatched Solaris 2.X up to 2.5.1
Date:4 June 1997
Notes:Apparently rpcbind also lists on high solaris *TCP* ports sometimes. I've included a a hacked rcpinfo client below the secnet advisory.
Exploit &amp full info:Available here

SunOS 4.1.4 crashes when (l)users read /dev/tcx0
Description:Sparcstations running 4.1.4 (probably other versions too) crash when users read /dev/tcx0 with something like 'cat'. Not that this is a VERY generall problem. There are a lot of devices on many devices that will crash if you do wierd things to them. Especially cat'ing binary files to them. I am not going to write up a page on each.
Author:Dixon Ly <dly@BAYNETWORKS.COM> mentioned this particular problem.
Compromise:DOS attack, obviously annoy people. You could also do more devious thing, taking down the machine so you can IP spoof "from" it without it sending thos damn RST's!
Vulnerable Systems:Sparc 5,10,20,etc. running SunOS 4.1.4 probably other versions.
Date:19 May 1997
Exploit &amp full info:Available here

Data Buffer overrun in Solaris 2.5.1, 2.5.0 in ps and chkey
Description:The solaris ps (both /usr/bin and /usr/ucb) and chkey programs are insecure, and it is possible to exploit them via a rather complicated data buffer overrun. This overrun is probably present in many other programs.
Author:Joe Zbiciak <jzbiciak@DALDD.SC.TI.COM> wrote the ps exploit. Adam Morrison <adam@MATH.TAU.AC.IL> provided a lot of information and mentioned that chkey was also vulnerable. Adam also posted a cool stdio overflow program which will get its own entry.
Compromise: root (local)
Vulnerable Systems:Solaris 2.5.1, 2.5.0, possibly earlier versions.
Date:19 May 1997
Notes:There were a bunch of interesting postings on this topic which help to exploit the vulnerability. I've included the best ones below.
Exploit &amp full info:Available here

Program for exploiting data overrun conditions
Description:This isn't an exploit per se, (although, as mentioned in another exploit, it works for chkey and ps). Now you can exploit these overruns when you find them yourself!
Author:adam@math.tau.ac.il (Adam Morrison), Joe Zbiciak <jzbiciak@DALDD.SC.TI.COM> also contributed a useful script for finding the proc_link value for an overflow.
Compromise: root (local)
Vulnerable Systems:This program works for Solaris on SPARC. Other OSes are vulnerable to similar overflows, although this program obviously won't work.
Date:19 May 1997
Notes:I've included Adam Morrison's original post as well as Joe Zbiciak's supplimentary script below.
Exploit &amp full info:Available here

Failure of Solaris and old BSD versions to honor the filesystem permissions of unix domain sockets.
Description:Solaris (including SunOS) and old (4.3 and earlier) versions of BSD don't honor permissions on the filesystem representations of unix domain sockets. A lot of programmers might not realize that anyone can send data to their programs by writing to the "file".
Author:Thamer Al-Herbish <shadows@whitefang.com> posted this to bugtraq, but it was somewhat well known.
Compromise:write malicious data to unsuspecting applications
Vulnerable Systems:Solaris 2.5 and earlier (not sure about 2.5.1). Version 2.6 will supposedly not be vulnerable.
Date:17 May 1997
Exploit &amp full info:Available here

Soaris lp and lpsched symlink vulnerabilities
Description:A typical symlink-to-.rhosts exploit
Author:Chris Sheldon (csh@viewgraphics.com)
Compromise: root (local)
Vulnerable Systems:Solaris 2.51, possibly others
Date:3 May 1997
Exploit &amp full info:Available here

Solaris /bin/fdformat overflow sploit
Description:Buffer overflow in find_media() in /bin/fdformat
Author:Cristian Schipor (skipo@Math.PUB.Ro)
Compromise: root (local)
Vulnerable Systems:Solaris 2.4, 2.5
Date:23 March 1997
Exploit &amp full info:Available here

Solaris chkperm vulnerability
Description:Solaris 2.4's /usr/vmsys/bin/chkperm creates $VMSYS/.facerc in a laughably insecure fashion.
Author:Duncan Simpson <dps@IO.STARGATE.CO.UK>
Compromise:bin, which trivially leads to root (local)
Vulnerable Systems:Solaris 2.4, NOT 2.5 or 2.5.1, the author is apparently wrong about this.
Date:5 December 1996
Exploit &amp full info:Available here

Solaris gethostbyname() exploit
Description:gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc
Author:Jeremy Elson (jelson@helix.nih.gov)
Compromise:Overwrite files owned by the user running gcc (possibly root )
Vulnerable Systems:Solaris 2.5 and 2.5.1
Date:18 November 1996
Notes:See addendum
Exploit &amp full info:Available here

Ping of Death
Description:gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets)
Author:The page included was created by Malachi Kenney. The programs have attribution.
Compromise:Stupid DOS
Vulnerable Systems:I have heard that NT and 95 can actually lock up hard from the programs below. Also, early 2.0.x Linux, Solaris x86, and Macintosh systems are often vulnerable.
Date:21 October 1996 was when this page came up.
Notes:The Ping O' Death page is included first, then comes BSD source code, then comes a version of the above which is modified to compile on Linux 2.X. I also appended jolt.c, which IP spoofs to. Woop!
Exploit &amp full info:Available here

Solaris /usr/bin/solstice bug
Description:/usr/bin/solstice is setgid bin and gives this privilege away freely.
Author:Unknown (it was known before the attached post)
Compromise:group bin, which leads quickly to root (local)
Vulnerable Systems:Systems with vulnerable /usr/bin/solstice (Solaris 2.5, 2.5.1)
Date:18 October 1996 (known prior to this)
Notes:See addendum.
Exploit &amp full info:Available here

Solaris (and others) ftpd core dump bug
Description:Solaris ftpd (as well as others) can be made to core dump and divulge shadowed passwords
Compromise:Can obtained crypt()ed root password
Vulnerable Systems:Solaris (at least 2.5) and others including wu.ftpd. If enclosed doesn't work, try killing the process yourself.
Date:15 October 1996
Notes:See addendum
Exploit &amp full info:Available here

setgid Core dumping vulnerability in Solaris 2.4
Description:Solaris 2.4 prior to kernel jumbo patch 35 in many circumstances allows setgid programs to dump core which is especially bad since Solaris has WAY too many group-writable files.
Author:Jungseok Roh <beren@cosmos.kaist.ac.kr>
Compromise:It is easy to overwrite files writeable by group bin, which leads quickly to root access (local)
Vulnerable Systems:Solaris 2.4 prior to kernel jumbo patch -35
Date:3 August 1996
Exploit &amp full info:Available here

Solaris admintool and /usr/openwin/bin/kfcs_* tmpfile vulnerabilities
Description:Standard insecure tempfile creation, symlink to /.rhosts exploit
Author:Jungseok Roh (beren@cosmos.kaist.ac.kr) posted the kcms_* stuff, Leif Hedstrom (leif@netscape.com) posted that admintool had the same problem.
Compromise: root (local)
Vulnerable Systems:Solaris 2.5.[01]
Date:26 July 1996
Exploit &amp full info:Available here

Rdist buffer overrun (BSD Code)
Description:Another vulnerability in rdist, standard buffer overflow
Author:found in [8lgm]-Advisory-26.UNIX.rdist.20-3-1996, *BSD exploit written by Brian Mitchell (brian@saturn.net)
Compromise: root (local)
Vulnerable Systems:Solaris 2.x, Sunos 4.*, some *BSD systems. Included exploit only for *BSD.
Date:10 July 1996
Exploit &amp full info:Available here

Solaris /bin/eject Buffer overflow
Description:Solaris /bin/eject takes a device name (floppy, etc) for argv[2] which can be overflowed via standard techniques.
Author:Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise: root (local)
Vulnerable Systems:Unpatched Solaris 2.4, 2.5
Date:13 March 1996
Exploit &amp full info:Available here

Solaris 2.5.1 sdtcm_convert hole
Description:sdtcm_convert is kind enough to watch the permissions of your calendar file and if you change them it will change them back ... even following symlinks ;)
Author:Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise: root (local)
Vulnerable Systems:Solaris at least 2.5.1
Date:22 February 1996
Exploit &amp full info:Available here

Insecure Solaris default nissetup password table permissions!
Description:The nissetup.sh program for setting up NIS+ databases leaves insecure permissions on the password table. This allows you to, for example, use nistbladm to change your UID!
Author:Well known
Compromise: root (local)
Vulnerable Systems:Unpatched Solaris 2.5.1 systems (possibly earlier versions of Solaris).
Date:10 February 1996
Notes:Here is an anonymous posting reminding us of the problem. Also, Casper Dik (casper@HOLLAND.SUN.COM) mentioned that just installing the Solaris patch doesn't fix the problem. You need to manually reset the bad permissions. How many people do you think forgot to do that?
Exploit &amp full info:Available here

Telnetd Environmental variable passing problem
Description:A "feature" of most telnetd programs is that they will pass environmental variables (like TERM, DISPLAY, etc) for you. Unfortunately this can be a problem if someone passes LD_PRELOAD and causes /bin/login to load trojan libraries!
Author:Well known, squidge (squidge@onyx.infonexus.com) wrote this, but I doubt you can reach him. Isn't he in jail now?
Compromise:root REMOTELY!
Vulnerable Systems:Older Linux boxes, I think SunOS systems, probably others.
Date:January 1996 maybe? Quite old but lives forever like phf.
Notes:Appended is a uuencoded version of squidge's telnetd_ex.tar.gz
Exploit &amp full info:Available here

This page Copyright &#169 Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index