diff options
| author | Tom Yu <tlyu@mit.edu> | 2007-04-03 21:27:25 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2007-04-03 21:27:25 +0000 |
| commit | cd1c8b8a1a9bfd77eae9fbf29bd3273695019125 (patch) | |
| tree | c2f7273017dc9d9405e5920dda61615913d2f3c9 /src/appl | |
| parent | f7f39b9dda8998390da542fb9bbc2be563c8a557 (diff) | |
| download | krb5-cd1c8b8a1a9bfd77eae9fbf29bd3273695019125.zip krb5-cd1c8b8a1a9bfd77eae9fbf29bd3273695019125.tar.gz krb5-cd1c8b8a1a9bfd77eae9fbf29bd3273695019125.tar.bz2 | |
MITKRB5-SA-2007-001: telnetd allows login as arbitrary user
Fix MITKRB5-SA-2007-001:
* src/appl/telnet/telnetd/sys_term.c (start_login): Add "--"
argument preceding username, in addition to the original patch.
Explicitly check for leading hyphen in username.
* src/appl/telnet/telnetd/state.c (envvarok): Check for leading
hyphen in environment variables. On advice from Shawn Emery, not
using strchr() as in the original patch.
ticket: new
tags: pullup
target_version: 1.6.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19396 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/appl')
| -rw-r--r-- | src/appl/telnet/telnetd/state.c | 3 | ||||
| -rw-r--r-- | src/appl/telnet/telnetd/sys_term.c | 25 |
2 files changed, 26 insertions, 2 deletions
diff --git a/src/appl/telnet/telnetd/state.c b/src/appl/telnet/telnetd/state.c index e08c5bb..4693fc9 100644 --- a/src/appl/telnet/telnetd/state.c +++ b/src/appl/telnet/telnetd/state.c @@ -1665,7 +1665,8 @@ static int envvarok(varp) strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ strcmp(varp, "NLSPATH") && /* locale stuff */ strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ - strcmp(varp, "IFS")) { + strcmp(varp, "IFS") && + (varp[0] != '-')) { return 1; } else { syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); diff --git a/src/appl/telnet/telnetd/sys_term.c b/src/appl/telnet/telnetd/sys_term.c index bfd1f81..d78c2e8 100644 --- a/src/appl/telnet/telnetd/sys_term.c +++ b/src/appl/telnet/telnetd/sys_term.c @@ -1287,12 +1287,25 @@ start_login(host, autologin, name) #endif #if defined (AUTHENTICATION) if (auth_level >= 0 && autologin == AUTH_VALID) { + if (name[0] == '-') { + /* + * Authenticated and authorized to log in to an + * account starting with '-'? Even if that + * unlikely case comes to pass, the current login + * program will not parse the resulting command + * line properly. + */ + syslog(LOG_ERR, "user name cannot start with '-'"); + fatal(net, "user name cannot start with '-'"); + exit(1); + } # if !defined(NO_LOGIN_F) #if defined(LOGIN_CAP_F) argv = addarg(argv, "-F"); #else argv = addarg(argv, "-f"); #endif + argv = addarg(argv, "--"); argv = addarg(argv, name); # else # if defined(LOGIN_R) @@ -1371,17 +1384,27 @@ start_login(host, autologin, name) pty = xpty; } # else + argv = addarg(argv, "--"); argv = addarg(argv, name); # endif # endif } else #endif if (getenv("USER")) { - argv = addarg(argv, getenv("USER")); + char *user = getenv("USER"); + if (user[0] == '-') { + /* "telnet -l-x ..." */ + syslog(LOG_ERR, "user name cannot start with '-'"); + fatal(net, "user name cannot start with '-'"); + exit(1); + } + argv = addarg(argv, "--"); + argv = addarg(argv, user); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) { register char **cpp; for (cpp = environ; *cpp; cpp++) + if ((*cpp)[0] != '-') argv = addarg(argv, *cpp); } #endif |