Telnetd Vulnerability

INTRODUCTION: Gday. This tar file contains a number of files that will allow you to get root access to between 40% to 70% of all Unix machines.
telnetd_exploit.tar.gz



It does this by exploiting a hole/feature in telnetd where environment

variables are passed from the calling telnet client, to the recieving telnet

daemon. These are normal env variables, such as TERM and TZ. However, there

are a few which affect the runtime linker/loader (ld.so). These variables

affect how ld.so finds and uses shared libraries.



EXPLANATION:

Most programs are written and compiled and only contain code the author has

written. Standard functions such as printf and strncpy are stored in runtime

libraries. When the program is initiated, a runtime linker adds in these

little bits of code. The main benefit is that lots of work is saved. An

author doesn't need to re-write printf every program he writes. These

libraries of pre-written functions are called shared object libraries. When

a program is written to use these, that program is called a dynamically

linked program. That is it will dynamically load functions as and when it

need them.



We can exploit this hole in ld.so by specifying our own library functions.

In fact, this code replaces two standard C library functions, openlog and

getpass.



getpass is used when a program wants a password to be entered, without

echoing to the display. openlog was added because some systems have a

different way of initiating logins.



The main crux is that both of these functions are executed when login (which

is called when telnetd finds an incoming connection) is running as root. Any

code which is executed then will be executed as root. My two trojan

functions simply execute /bin/sh as uid 0.



getpass is used in a normal /bin/login and is called after you enter your

login name. Some systems that use shadow passwording will find (if you

examine the source) that getpass isn't used. To circumvent this, we add

openlog which, if a site is shadowed is probably going to be compiled in.

This is the default with the shadow setups I've seen.



METHOD:



Method One (If you have an account on the machine you want root on. Try this

	    first.)



(1) gunzip and untar the source into a directory, eg /home/squidge/lib_hack

(2) compile the programs by typing make all

(3) wait

(4) you will have a file /tmp/.libroot.so

(5) type telnet

(6) at the telnet> prompt, type env def LD_PRELOAD /tmp/.libroot.so

    This tells telnet to pass the environment variable LD_PRELOAD to the

    target machine. LD_PRELOAD points to our trojan library.

(7) type open localhost

(8) If you don't get a prompt bash#, but get login: type something like test

    You should now be greeted with bash#. Type id and see you are root.

    Note that telnetd will time you out, so make some attempt at a backdoor.



Method Two (If you have no account on the target machine)



(1) as above

(2) as above, if you are running the same hardware as the target. If you are

    on different processors, try compiling on a different machine. If you

    know what you are doing, try changing the target architecture used by 

    gcc and ld. it is the -m flag with ld.

(3) assuming you have the correct binary, open an ftp connection to the

    target

(4) using bin mode, upload your trojan library to the targets incoming

    directory.

(5) switch back to your machine, start telnet and specify the path of the

    targets ftp directory as your LD_PRELOAD. On linux this is normally

    /home/ftp/incoming. On others generally /var/ftp/incoming or

    /etc/ftp/incoming.

(6) as number 8 above.



If you opt for method 2, you will need a pretty good idea of what is going

on. It is not for the fainthearted. If demand is high, I may release a new

set of .o files for different architectures. There should be no need. I can

compile for Sun(SPARC), M68 and x86 on my linux box. So can you.



HOW TO PROTECT:

There are a few ways. If you have a statically linked login, then you are

safe. setuid programs ignore LD_PRELOAD so one you have logged in, you

cannot subvert the system.



You can patch telnetd to wipe all but a few env variables. There are many

widely pieces of available code to demonstrate this.



FINALLY:



Thats all I can think of. If you have any questions, email

                         [email protected]

                            (The Guild homesite)