Thursday, February 19, 2009

What's Old is New Again

What do you call a 14+ year old vulnerability? Sloppy, ridiculous? Not sure....

FreeBSD was just hit by essentially the same bug that was present in a large number of Unix variants back in 1995.

The original vulnerability is here:

CERT® Advisory CA-1995-14 Telnetd Environment Vulnerability

The vulnerability allows a remote user to specify Unix environment variables to the the target system. If they override an environment variable such as LD_LIBRARY_PATH or LD_PRELOAD then they can override the behavior of programs that telnetd calls, such as /bin/login.

Looks like the FreeBSD guys just had a recurrence of almost exactly the same vuln.... Interesting to say the least.


No comments: