VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 20, 2009· Updated Apr 23, 2026

CVE-2009-0641

CVE-2009-0641

Description

FreeBSD 7.x telnetd fails to filter dangerous environment variables like LD_PRELOAD, allowing remote code execution if attacker can place a malicious library on the target.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FreeBSD 7.x telnetd fails to filter dangerous environment variables like LD_PRELOAD, allowing remote code execution if attacker can place a malicious library on the target.

Vulnerability

The telnet daemon (telnetd) in FreeBSD 7.0-RELEASE and other 7.x versions contains a vulnerability in sys_term.c that allows environment variable scrubbing to be bypassed due to changes in FreeBSD's environment-handling code [1][2]. Specifically, the daemon does not properly remove dangerous environment variables such as LD_PRELOAD, which can be used to execute arbitrary code when /bin/login is invoked [2].

Exploitation

An attacker must first place a malicious shared library on the target filesystem (e.g., via anonymous FTP, NFS, SMB, or any write-enabled service) [2]. Then, the attacker connects via telnet and passes an environment variable like LD_PRELOAD pointing to the malicious library [1][2]. When /bin/login is executed with elevated privileges, the library is loaded, leading to code execution [2]. If no write service is accessible, the vulnerability is only exploitable locally [2].

Impact

Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the user running telnetd, typically root [1][2]. This results in full compromise of the target system.

Mitigation

FreeBSD has released patches: upgrade to 7.0-RELEASE-p10, 7.1-RELEASE-p3, or 7.1-STABLE (available from February 16, 2009) [1]. No workaround is available aside from disabling the telnet service (telnetd is disabled by default in FreeBSD) and using SSH instead [1].

References
  1. http://security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc
  2. OffSec’s Exploit Database Archive

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • FreeBSD/FreeBSD8 versions
    cpe:2.3:o:freebsd:freebsd:7.0:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:o:freebsd:freebsd:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:freebsd:freebsd:7.0:beta_4:*:*:*:*:*:*
    • cpe:2.3:o:freebsd:freebsd:7.0_beta4:*:*:*:*:*:*:*
    • cpe:2.3:o:freebsd:freebsd:7.0:current:*:*:*:*:*:*
    • cpe:2.3:o:freebsd:freebsd:7.0-release:*:*:*:*:*:*:*
    • cpe:2.3:o:freebsd:freebsd:7.0_releng:*:*:*:*:*:*:*
    • cpe:2.3:o:freebsd:freebsd:7.1:*:*:*:*:*:*:*
    • cpe:2.3:o:freebsd:freebsd:7.1:rc1:*:*:*:*:*:*
  • Telnetd/Telnetdllm-fuzzy
    Range: 7.x

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The environment-scrubbing code in telnetd's `sys_term.c` was rendered ineffective by changes to FreeBSD's environment-handling routines, allowing dangerous variables like `LD_PRELOAD` to be passed to `/bin/login`."

Attack vector

An attacker connects to the telnet daemon and uses the TELNET protocol's environment option to set `LD_PRELOAD` (or similar `LD_*` variables) to point to a malicious shared library already present on the target filesystem [ref_id=2]. Because telnetd's scrubbing is broken, the variable is passed to `/bin/login`, which runs as root and loads the attacker-controlled library, executing arbitrary code with root privileges [ref_id=1][ref_id=2]. Remote exploitation requires a secondary file-upload vector (e.g., anonymous FTP) to place the library on the victim system [ref_id=2].

Affected code

The vulnerability resides in `sys_term.c` within the telnetd component of FreeBSD 7.x [ref_id=1]. The environment-scrubbing logic in that file became ineffective after changes to FreeBSD's environment-handling code, allowing dangerous environment variables to pass through to `/bin/login` [ref_id=1].

What the fix does

The advisory directs administrators to patch `sys_term.c` in the telnetd source tree and rebuild both `lib/libtelnet` and `libexec/telnetd` [ref_id=1]. The patch restores effective scrubbing of dangerous environment variables (such as `LD_PRELOAD`) so that they are removed before `/bin/login` is executed, closing the code-execution vector [ref_id=1]. No workaround is available; systems not running telnetd are not vulnerable [ref_id=1].

Preconditions

  • configThe telnet daemon must be enabled (disabled by default since August 2001)
  • inputFor remote exploitation, a file-upload service (e.g., anonymous FTP) must be available to place the malicious library on the target
  • networkAttacker must be able to establish a TELNET connection to the target

Reproduction

Compile a malicious shared library using the provided C code and gcc commands, then copy it to a known location on the target (e.g., `/tmp/libno_ex.so.1.0`). Connect via telnet, disable SRA authentication, define the `LD_PRELOAD` environment variable pointing to the library, and open the target host. Upon successful login, the library's `_init()` function executes and spawns a root shell [ref_id=2].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.