Haha @ FreeBSD telnetd
… and here we were almost a year ago making fun of Solaris for letting silly things slip in. The good news is almost no one uses telnet anymore, and if they do they probably deserve to get owned.
Here’s a hurried patch confirmed to plug this hole, but do so in a messy manner. What’s funny is there’s an entire function called scrub_env() that (on cursory inspection) looks like it’s sole purpose is to prevent shit like this, and for some reason it doesn’t.
--- sys_term.c~ 2009-02-13 23:58:26.000000000 -0500
+++ sys_term.c 2009-02-13 23:58:26.000000000 -0500
@@ -1221,6 +1221,7 @@
if (altlogin == NULL) {
altlogin = _PATH_LOGIN;
}
+ unsetenv("LD_PRELOAD");
execv(altlogin, argv);
syslog(LOG_ERR, "%s: %m", altlogin);
My blog munges the code formatting – it’s just here so you can see what’s going on. In the very unlikely event you run telnetd and want to patch it, you can download the patch.
Update: Disregard that patch, FreeBSD released an advisory and they did a much more elegant solution in their patch.