Following a vulnerability discovered in the telnetd server from the GNU InetUtils suite at the end of January, which allowed connection as the root user without checking the password, it has been identified that there are several ways to increase privileges. These methods were the result of the incomplete elimination of a vulnerability from 1999 (CVE-1999-0073).
The vulnerabilities stem from telnetd’s ability to send environment variables from the client to the server using the ENVIRON option. These environment variables are processed in the context of the telnetd process and passed to its child processes, including the /bin/login process launched as root. The CVE-1999-0073 vulnerability allowed a telnet client to pass the LD_LIBRARY_PATH environment variable, resulting in a user-specified shared library being loaded when the login process initiated. This could potentially allow an attacker to upload a specially designed library and load it with root privileges.
To address this vulnerability in telnetd from the GNU InetUtils suite, dangerous environment variables have been disabled by filtering them using specific masks such as “LD_”, “LIBPATH”, “ENV”, “IFS”, and “_RLD_”. However, the environment variable “CREDENTIALS_DIRECTORY” was left unblocked and processed when /usr/bin/login is launched. With this environment variable, a user could manipulate the directory with credential settings and place a login.noauth file in the new directory with the value “yes”, enabling login without a password for all users, including root.
This attack involves an unprivileged user creating a subdirectory in their home directory, placing the login.noauth file into it, setting the environment variable “CREDENTIALS_DIRECTORY” to the created directory, and passing the environment variable “USER=root” during login. An example exploit has been provided for reference.
Further impacts of the identified vulnerabilities have been discussed, and it is crucial for users and system administrators to be aware of these security issues and take necessary precautions to protect their systems.