Short Name |
TELNET:EXPLOIT:SGI-RLD |
---|---|
Severity |
Critical |
Recommended |
No |
Recommended Action |
Drop |
Category |
TELNET |
Keywords |
Exploit SGI _RLD |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects attempts to exploit known runtime linker vulnerability in TELNET on systems running Silicon Graphics IRIX. Attackers can place a shared object library containing executable code on the system, set this library as a _RLD environment variable, and open a TELNET connection with the target host. When TELNET executes the /bin/login during user authentication, the dynamic linker loads the library listed in the _RLD, thus bypassing normal system libraries and allowing the attacker to execute code as root.
A vulnerability existed in a number of in.telnetd's, that when coupled with dynamic linking introduced a very serious vulnerability. Telnet supports the passing of environment variables from a remote host. On vulnerable systems, an attacker would place a shared object containing code they are sure will be run, for instance, the crypt() function on the system. This could be via ftp, nfs, or any other method for getting a file on the system. They would then set this library to be part of their LD_PRELOAD enviroment variable. Upon telneting into the machine, when telnet exec'd /bin/login to authenticate the user, the system dynamic linker would load the library listed in the preload, which would override the normal library call. This in turn could allow a user to execute code as root.