Emva kokufunyanwa kobuthathaka ekupheleni kukaJanuwari obuvumela uqhagamshelo lweengcambu ngaphandle kokuqinisekiswa kwegama lokugqitha, iindlela ezininzi zokunyusa amalungelo ziye zafunyanwa kwiseva ye-telnetd evela kwi-GNU InetUtils suite, nto leyo ebangelwe kukungaphelelanga kobuthathaka ngo-1999 (CVE-1999-0073).
Ubuthathaka bubangelwa kukukwazi kwe-telnetd ukudlulisa iinguqu zendalo kwiseva ngokusebenzisa ukhetho lwe-ENVIRON. Ezo nguqu zendalo zisetwa kwaye zicutshungulwa ngaphakathi komxholo wenkqubo ye-telnetd kwaye zidluliselwe kwiinkqubo zabantwana eziqaliswe yiyo, kubandakanya inkqubo ye-/bin/login eqaliswe ngamalungelo eengcambu. I-Vulnerability CVE-1999-0073 ivumele iklayenti le-telnet ukuba lidlulise inguqu yendalo ye-LD_LIBRARY_PATH, ethi, xa isetiwe, ibangele ukuba ilayibrari eyabelwana ngayo echazwe ngumsebenzisi ilayishwe xa inkqubo yokungena iqala. Ngenxa yokukwazi ukulayisha iifayile kwinkqubo exhasa uqhagamshelo lwe-telnet, umhlaseli unokulayisha ilayibrari eyenziwe ngokukodwa aze abangele ukuba ilayishwe ngamalungelo eengcambu.
Kwi-telnetd evela kwi-GNU InetUtils suite, ubuthathaka bulungisiwe ngokukhubaza ii-variables eziyingozi ze-environment ngokusebenzisa ukucoca kusetyenziswa iimaski "LD_," "LIBPATH," "ENV," "IFS," kunye ne "_RLD_." Nangona kunjalo, i-"CREDENTIALS_DIRECTORY" environment variable, eqhutywe ngexesha lokuqalisa /usr/bin/login, ayivulwanga. Esebenzisa le-environment variable, umsebenzisi angatshintsha i-directory equlethe iziqinisekiso aze abeke ifayile ye-login.noauth kwi-directory entsha enexabiso elithi "ewe," evumela ukungena ngaphandle kwephasiwedi (okufana nokudlulisa iflegi ye-"-f" kwinkqubo yokungena). Olu seto lusebenza kubo bonke abasebenzisi, kuquka ne-root.
Olu hlaselo luquka umsebenzisi ongenamalungelo okudala i-subdirectory kwi-home directory yakhe, elayisha ifayile ye-login.noauth kuyo, aze azame ukungena ngokuseta i-environment variable "CREDENTIALS_DIRECTORY=created directory" aze adlulise i-environment variable "USER=root" (I-Telnet inemo yoqhagamshelo oluzenzekelayo apho igama lomsebenzisi lingathathwanga kumgca womyalelo, kodwa endaweni yoko lidluliswe nge-environment variable "USER"). Umzekelo we-exploit.
Enye indlela yokufumana ukufikelela kwiingcambu nge-telnetd ifunyenwe. Oku kuquka ukulawula ii-OUTPUT_CHARSET kunye nee-LANGUAGE environment variables ezicutshungulwa yi-GNU gettext library, kunye ne-GCONV_PATH environment variable esetyenziswa kwi-glibc. Ngokumisela ii-OUTPUT_CHARSET kunye nee-LANGUAGE environment variables, umhlaseli angavula umsebenzi wokuguqula ikhowudi yoonobumba kwi-gettext, ebiza umsebenzi we-iconv_open(). Xa usebenzisa umsebenzi we-iconv_open() ngelixa ulayisha ifayile yoqwalaselo lwe-gconv-modules, indlela ibalwa kusetyenziswa i-GCONV_PATH environment variable. Ngokufaka ifayile ye-gconv-modules endaweni yayo, kunokwenzeka ukulayisha ilayibrari ekwabelwana ngayo ngokwezifiso ngelixa inkqubo yokungena ikhupha umtya wendawo.
Izikhombisi ze-CVE azikanikwa kwiingxaki ezichongiweyo. Indlela ecetywayo yokunciphisa kukusebenzisa uluhlu olumhlophe lwamaxabiso amkelekileyo ("TERM," "DISPLAY," "USER," "LOGNAME," kunye ne "POSIXLY_CORRECT") ngelixa uvimba zonke ezinye iinguqu zendalo, ngendlela efanayo nendlela i-OpenSSH elawula ngayo iinguqu zendalo. Iingxaki ziqinisekisiwe kwiphakheji ye-GNU InetUtils, esetyenzisiweyo umncedisi I-telnetd yileyo ibonelelwa yiDebian, Ubuntu, kunye nee-derivatives. Ukulungiswa kwe-GNU InetUtils akukafumaneki okwangoku. I-Rocky Linux 9 ihamba ne-telnetd eguquliweyo engengomngcipheko kwaye isebenzisa ukujonga i-whitelist endaweni yokucoca ii-variables eziyingozi zemvelo. Ukucoca i-Whitelist kukwasetyenziswa kwi-telnetd kwiFreeBSD. I-Telnetd yasuswa kwi-OpenBSD ngo-2005.
umthombo: opennet.ru
