Shostack + Friends Blog Archive

 

Department of pre-blogging, II

A bit of background.
Sun recently got hit with a 0-day that was 13 years in the making, by seemingly repeating a coding worst practice that bit AIX back in 1994 — trusting environment variables [link to https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/guidelines/341.html no longer works] under the control of an attacker. A slightly more complex variant bit Solaris’ telnetd in 1995.
From the advisory (NSFW) at http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf, as sent to me in an email:

/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c
3198
3199 } else /* default, no auth. info available, login does it all */ {
3200           (void) execl(LOGIN_PROGRAM, "login",
3201                         "-p", "-h", host, "-d", slavename,
3202                         getenv("USER"), 0);
3203 }

Anyway, to save you valuable time, the pre-blogging department at EC has prepared a short summary of some posts you will see elsewhere on this topic.
“This proves open source is less secure than closed source”
This vulnerability is so Old Skool, it could have lain dormant like some sort of unexpressed genetic flaw. By making source available, Sun provided a road map to their own weakest link. You can hear the chortling in Redmond already.
“This proves the value of open source”
Low-hanging fruit like this is ripe for the picking. By harnessing the people power of a million eyeballs, cruft like this will be much more quickly eliminated. For all we know, Vista’s telnet service is even worse.
“Don’t they teach these kids to write half-decent code???”
[This one will be found in a blog containing a “Created with vi” emblem in the corner, and embedded RCS keywords showing its last mod time.]
(Note: The pre-blogging department accepts no responsibility for metaphors mixed in the provision of this valuable service. YMMV. Do not taunt happy fun ball.)

One comment on "Department of pre-blogging, II"

Comments are closed.