From 4a0834a5a227860ff18a2509db1d06099022bcd7 Mon Sep 17 00:00:00 2001 From: Paul Traina Date: Thu, 20 Jul 1995 12:35:01 +0000 Subject: [PATCH] When hostname len > 8, name replaced with dot notation when -u flag not specified (default case). Use _PATH_* for utmp/wtmp. Support for >32 PTYs. >Submitted by: Heikki Suonsivu Plug already known security hole. (Brought over from 1.1.5): Fixed security problem with telnetd, which allowed telnet -l -hcert.org localhost to change the user's host in utmp. Thanks to Matthew Green for showing me this one. >Reviewed by: karl, guido >Submitted by: mrgreen@mame.mu.oz.au Obtained from: FreeBSD insecure telnetd --- eBones/libexec/telnetd/sys_term.c | 26 +++++++++++++++++++------- secure/libexec/telnetd/sys_term.c | 26 +++++++++++++++++++------- 2 files changed, 38 insertions(+), 14 deletions(-) diff --git a/eBones/libexec/telnetd/sys_term.c b/eBones/libexec/telnetd/sys_term.c index b699a64f0399..de577eda083b 100644 --- a/eBones/libexec/telnetd/sys_term.c +++ b/eBones/libexec/telnetd/sys_term.c @@ -46,9 +46,9 @@ static char sccsid[] = "@(#)sys_term.c 8.4 (Berkeley) 5/30/95"; # define PARENT_DOES_UTMP #endif +int utmp_len = MAXHOSTNAMELEN; #ifdef NEWINIT #include -int utmp_len = MAXHOSTNAMELEN; /* sizeof(init_request.host) */ #else /* NEWINIT*/ # ifdef UTMPX # include @@ -58,10 +58,17 @@ struct utmpx wtmp; struct utmp wtmp; # endif /* UTMPX */ -int utmp_len = sizeof(wtmp.ut_host); # ifndef PARENT_DOES_UTMP +#ifdef _PATH_WTMP +char wtmpf[] = _PATH_WTMP; +#else char wtmpf[] = "/usr/adm/wtmp"; +#endif +#ifdef _PATH_UTMP +char utmpf[] = _PATH_UTMP; +#else char utmpf[] = "/etc/utmp"; +#endif # else /* PARENT_DOES_UTMP */ char wtmpf[] = "/etc/wtmp"; # endif /* PARENT_DOES_UTMP */ @@ -504,7 +511,7 @@ int *ptynum; p2 = &line[14]; #endif - for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) { + for (cp = "pqrsPQRS"; *cp; cp++) { struct stat stb; *p1 = *cp; @@ -516,8 +523,8 @@ int *ptynum; */ if (stat(line, &stb) < 0) break; - for (i = 0; i < 16; i++) { - *p2 = "0123456789abcdef"[i]; + for (i = 0; i < 32; i++) { + *p2 = "0123456789abcdefghijklmnopqrstuv"[i]; p = open(line, 2); if (p > 0) { #ifndef __hpux @@ -1544,7 +1551,7 @@ start_login(host, autologin, name) { register char *cp; register char **argv; - char **addarg(); + char **addarg(), *user; extern char *getenv(); #ifdef UTMPX register int pid = getpid(); @@ -1727,7 +1734,12 @@ start_login(host, autologin, name) # endif } else #endif - if (getenv("USER")) { + if (user = getenv("USER")) { + if (strchr(user, '-')) { + syslog(LOG_ERR, "tried to pass user \"%s\" to login", + user); + fatal(net, "invalid user"); + } argv = addarg(argv, getenv("USER")); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) { diff --git a/secure/libexec/telnetd/sys_term.c b/secure/libexec/telnetd/sys_term.c index b699a64f0399..de577eda083b 100644 --- a/secure/libexec/telnetd/sys_term.c +++ b/secure/libexec/telnetd/sys_term.c @@ -46,9 +46,9 @@ static char sccsid[] = "@(#)sys_term.c 8.4 (Berkeley) 5/30/95"; # define PARENT_DOES_UTMP #endif +int utmp_len = MAXHOSTNAMELEN; #ifdef NEWINIT #include -int utmp_len = MAXHOSTNAMELEN; /* sizeof(init_request.host) */ #else /* NEWINIT*/ # ifdef UTMPX # include @@ -58,10 +58,17 @@ struct utmpx wtmp; struct utmp wtmp; # endif /* UTMPX */ -int utmp_len = sizeof(wtmp.ut_host); # ifndef PARENT_DOES_UTMP +#ifdef _PATH_WTMP +char wtmpf[] = _PATH_WTMP; +#else char wtmpf[] = "/usr/adm/wtmp"; +#endif +#ifdef _PATH_UTMP +char utmpf[] = _PATH_UTMP; +#else char utmpf[] = "/etc/utmp"; +#endif # else /* PARENT_DOES_UTMP */ char wtmpf[] = "/etc/wtmp"; # endif /* PARENT_DOES_UTMP */ @@ -504,7 +511,7 @@ int *ptynum; p2 = &line[14]; #endif - for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) { + for (cp = "pqrsPQRS"; *cp; cp++) { struct stat stb; *p1 = *cp; @@ -516,8 +523,8 @@ int *ptynum; */ if (stat(line, &stb) < 0) break; - for (i = 0; i < 16; i++) { - *p2 = "0123456789abcdef"[i]; + for (i = 0; i < 32; i++) { + *p2 = "0123456789abcdefghijklmnopqrstuv"[i]; p = open(line, 2); if (p > 0) { #ifndef __hpux @@ -1544,7 +1551,7 @@ start_login(host, autologin, name) { register char *cp; register char **argv; - char **addarg(); + char **addarg(), *user; extern char *getenv(); #ifdef UTMPX register int pid = getpid(); @@ -1727,7 +1734,12 @@ start_login(host, autologin, name) # endif } else #endif - if (getenv("USER")) { + if (user = getenv("USER")) { + if (strchr(user, '-')) { + syslog(LOG_ERR, "tried to pass user \"%s\" to login", + user); + fatal(net, "invalid user"); + } argv = addarg(argv, getenv("USER")); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) {