IRIX telnetd Environment Variable Format String Vulnerability

BID:1572

Info

IRIX telnetd Environment Variable Format String Vulnerability

Bugtraq ID: 1572
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Aug 14 2000 12:00AM
Updated: Aug 14 2000 12:00AM
Credit: This vulnerability was reported to the Bugtraq mailing list on August 14, 2000 by LSD <[email protected]>
Vulnerable: SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.4
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.3
SGI IRIX 6.5.2 m
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
SGI IRIX 6.0.1 XFS
SGI IRIX 6.0.1
SGI IRIX 6.0
SGI IRIX 5.3 XFS
SGI IRIX 5.3
SGI IRIX 5.2
Not Vulnerable:

Discussion

IRIX telnetd Environment Variable Format String Vulnerability

A vulnerability exists in the telnet daemon shipped with Irix versions 6.2 through 6.5.8, and in patched versions of the telnet daemon in Irix 5.2 through 6.1, from Silicon Graphics (SGI). The telnetd will blindly use data passed by the user in such a way as to make it possible for a remote attacker to execute arbitrary commands with the privileges of the daemon. In the case of the telnet daemon, this is root privileges.

The telnet daemon, upon receiving a request via IAB-SB-TELOPT_ENVIRON request to set one of the _RLD environment variables, will log this attempt via syslog(). The data normally logged is the environment variable name, and the value of the environment variable. The call to syslog, however, uses the supplied variables as part of the format string. By carefully constructing the contents of these variables, it is possible to overwrite values on the stack such that supplied code may be executed as the root user.

This vulnerability does not exist in unpatched versions of Irix 5.2 through 6.1. It was introduced in these versions via patches designed to address the vulnerability outlined in CERT advisory CA-95:14. This was addressed in the 1010 and 1020 series of patches. If these patches are not installed, the system is not vulnerable to this specific attack.

Exploit / POC

IRIX telnetd Environment Variable Format String Vulnerability

A very detailed description of the construction of this vulnerability can be found in the 'Credit' section.

Solution / Fix

IRIX telnetd Environment Variable Format String Vulnerability

Solution:
SGI has released a patch for vulnerable versions of IRIX.


SGI IRIX 5.2

SGI IRIX 5.3 XFS

SGI IRIX 5.3

SGI IRIX 6.0

SGI IRIX 6.0.1

SGI IRIX 6.0.1 XFS

SGI IRIX 6.1

SGI IRIX 6.2

SGI IRIX 6.3

SGI IRIX 6.4

SGI IRIX 6.5

SGI IRIX 6.5.1

SGI IRIX 6.5.2 m

SGI IRIX 6.5.3

SGI IRIX 6.5.3 m

SGI IRIX 6.5.3 f

SGI IRIX 6.5.4

SGI IRIX 6.5.7

SGI IRIX 6.5.8

References

IRIX telnetd Environment Variable Format String Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report