What do you call a 14+ year old vulnerability? Sloppy, ridiculous? Not sure....
FreeBSD was just hit by essentially the same bug that was present in a large number of Unix variants back in 1995.
The original vulnerability is here:
CERT® Advisory CA-1995-14 Telnetd Environment Vulnerability
The vulnerability allows a remote user to specify Unix environment variables to the the target system. If they override an environment variable such as LD_LIBRARY_PATH or LD_PRELOAD then they can override the behavior of programs that telnetd calls, such as /bin/login.
Looks like the FreeBSD guys just had a recurrence of almost exactly the same vuln.... Interesting to say the least.
FreeBSD-SA-09:05.telnetd
No comments:
Post a Comment