Telnetd exploit on FreeBSD 7
A posting on the Full Disclosure mailing list has revealed what the FreeBSD Security team call a semi-remote root exploit for the telnetd service in FreeBSD 7, and later. By default, this service is disabled.
To exploit the vulnerability, a maliciously crafted library must be placed on the victim system beforehand, and then an attacker must connect via telnetd, passing the location of that library in the LD_PRELOAD environment variable. The malicious library is then loaded before the /bin/login process and executed as root.
Colin Percival, Security Officer for FreeBSD, recommends that FreeBSD 7.0-RELEASE, 7.1-RELEASE, 7-STABLE, and 8-CURRENT users ensure that telnetd is disabled. Dragonfly BSD is also reportedly vulnerable to the issue, but for a different reason, and patches for it, will not work on FreeBSD.
See also:
- FreeBSD 'telnetd' Daemon Remote Code Execution Vulnerability, advisory from SecurityFocus
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
