Bugtraq mailing list archives

Glibc Local Root Exploit

From: Charles Stevenson <csteven () NEWHOPE TERRAPLEX COM>
Date: Wed, 10 Jan 2001 00:06:48 -0700

Hi all,
  This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

  Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.

Best Regards,
Charles Stevenson
Software Engineer

--
  Terra Soft Solutions, Inc
  http://www.terrasoftsolutions.com/

  Yellow Dog Linux
  http://www.yellowdoglinux.com/

  Black Lab Linux
  http://www.blacklablinux.com

Current thread:

Glibc Local Root Exploit Charles Stevenson (Jan 10)
- Re: Glibc Local Root Exploit Thomas T. Veldhouse (Jan 10)
- Re: Glibc Local Root Exploit Ben Collins (Jan 10)
- Re: Glibc Local Root Exploit Pedro Margate (Jan 10)
  - Re: Glibc Local Root Exploit Gordon Messmer (Jan 10)
  - Re: Glibc Local Root Exploit Philip Rowlands (Jan 10)
  - Re: Glibc Local Root Exploit Ari Saastamoinen (Jan 10)
    - Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
  - Re: Glibc Local Root Exploit Jerry Connolly (Jan 10)
  - Veritas BackupExec (remote DoS) oh3mqu+bugtraq (Jan 15)
- Re: Glibc Local Root Exploit Joe (Jan 10)

(Thread continues...)