FreeBSD telnetd sys_term.c Environment Variable Handling Privilege Escalation (FreeBSD-SA-09:05)

high Nessus Plugin ID 35700

Synopsis

The remote telnet server is vulnerable to a code execution attack.

Description

A flaw in the environment-handling code used by the telnet server running on the remote host fails to scrub the environment of variables such as 'LD_PRELOAD' before calling the login program. An attacker who can place an arbitrary library on the remote host, either as a local user or remotely through some other means, can leverage this issue to execute arbitrary code subject to the privileges under which the service runs, typically 'root'.

Solution

Patch or upgrade the affected system as described in the project's advisory above.

See Also

https://www.freebsd.org/security/advisories/FreeBSD-SA-09:05.telnetd.asc

https://seclists.org/bugtraq/2009/Feb/150

Plugin Details

Severity: High

ID: 35700

File Name: freebsd_telnetd_code_exec.nasl

Version: 1.19

Type: remote

Published: 2/17/2009

Updated: 6/12/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Exploitable With

Core Impact

Reference Information

CVE: CVE-2009-0641

BID: 33777

CWE: 16, 264