CVE-2009-0641
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
sys_term.c in telnetd in FreeBSD 7.0-RELEASE and other 7.x versions deletes dangerous environment variables with a method that was valid only in older FreeBSD distributions, which might allow remote attackers to execute arbitrary code by passing a crafted environment variable from a telnet client, as demonstrated by an LD_PRELOAD value that references a malicious library.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Category : Configuration Weaknesses in this category are typically introduced during the configuration of the software. |
||
| Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 8055
Publication date : 2009-02-15 23h00 +00:00
Author : kingcope
EDB Verified : Yes
FreeBSD (7.0-RELEASE) telnet daemon local privilege escalation -
And possible remote root code excution.
There is a rather big bug in the current FreeBSD telnetd daemon.
The environment is not properly sanitized when execution /bin/login,
what leads to a (possible) remote root hole.
The telnet protocol allows to pass environment variables inside the
telnet traffic and assign them to the other side of the tcp connection.
The telnet daemon of FreeBSD does not check for LD_* (like LD_PRELOAD)
environment variables prior to executing /bin/login.
So passing an environment variable with the identifier LD_PRELOAD and
the value of a precompiled library that is on the filesystem of the
victims box that includes malicious code is possible.
When /bin/login is executed with the user id and group id 0 ('root') it preloads
the library that was set by remote connection through a telnet environment
definition and executes it.
It is unlikely that this bug can be exploited remotely but is not impossible.
An attacker could f.e. upload a malicious library using ftp (including anonymous
ftp users), nfs, smb or any other (file) transfer protocol.
One scenario to exploit the bug remotely would be a ftp server running beside
the telnet daemon serving also anoynmous users with write access. Then the
attacker would upload the malicious library and defines the LD_PRELOAD
Products Mentioned
Configuraton 0
Freebsd>>Freebsd >> Version 7.0
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.0 (Open CPE detail)
Freebsd>>Freebsd >> Version 7.0
Freebsd>>Freebsd >> Version 7.0
Freebsd>>Freebsd >> Version 7.0-release
Freebsd>>Freebsd >> Version 7.0_beta4
Freebsd>>Freebsd >> Version 7.0_releng
Freebsd>>Freebsd >> Version 7.1
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
Freebsd>>Freebsd >> Version 7.1
- Freebsd>>Freebsd >> Version 7.1 (Open CPE detail)
References
http://security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc
Tags : vendor-advisory, x_refsource_FREEBSD
Tags : vendor-advisory, x_refsource_FREEBSD
http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html
Tags : mailing-list, x_refsource_FULLDISC
Tags : mailing-list, x_refsource_FULLDISC
2025©
tesweb SA
