IRIX telnetd
CVE 2000-0733
Impact
A vulnerability in the IRIX telnet daemon could allow a
remote attacker to gain root access to the system.
Background
The telnet service provides an interactive command
interface for remote users. Users are generally
required to authenticate with their login name and
password to gain access to the server.
The Problem
There is a format string vulnerability in the telnet
daemon (telnetd) found on IRIX systems.
telnetd calls the syslog
function when the client requests to set a certain type
of environment variable.
The format string used with the syslog call
is partially supplied by the telnet client. By supplying
a specially crafted variable/value pair, a remote user
can cause the program to be redirected to arbitrary code.
Exploitation of this vulnerability could allow remote root access to
the system. IRIX 6.2 through IRIX 6.5.8 are affected by
this vulnerability. IRIX 5.2 through IRIX 6.1 are affected
only if the 1010/1020 security patch was applied.
Resolution
Install the patch.
Where can I read more about this?
A detailed explanation of this vulnerability was posted to
Bugtraq.