Il link dice:
The telnet protocol allows to pass environment variables inside the telnet traffic and assign them to the other side of the tcp connection. The telnet daemon of FreeBSD 7.0-RELEASE does not check for LD_* (like LD_PRELOAD) environment variables prior to executing /bin/login. So passing an environment variable with the identifier LD_PRELOAD and the value of a precompiled library that is on the filesystem of the victims box that includes malicious code is possible. When /bin/login is executed with the user id and group id 0 ('root') it preloads the library that was set by remote connection through a telnet environment definition and executes it. It is unlikely that this bug can be exploited remotely but is not impossible. An attacker could f.e. upload a malicious library using ftp (including anonymous ftp users), nfs, smb or any other (file) transfer protocol. One scenario to exploit the bug remotely would be a ftp server running beside the telnet daemon serving also anoynmous users with write access. Then the attacker would upload the malicious library and defines the LD_PRELOAD variable to something similar to /var/ftp/mallib.so to gain remote root access.
Quindi, se creo un nuovo telnet e inetd con un utente non super, questo exploit non funziona? Sembra che / bin / login debba essere eseguito con l'id utente di root, ma non sono sicuro che / bin / login sia sempre eseguito come id utente di root ...