Re: Glibc Local Root Exploit

[Digital Overdrive <digiover () dsinet org>]

Charles Stevenson wrote:
> Hi all,
>   This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
> the actual fix was a missing comma in the list of secure env vars that were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com

[Credits to ^herman^ in #hit2000 on ircnet]
A temp. sollution is to place this in /etc/services:
declare -r RESOLV_HOST_CONF

jan@flits102-93:~$ export RESOLV_HOST_CONF=/etc/shadow
bash: RESOLV_HOST_CONF: readonly variable
jan@flits102-93:~$

Regards,

Jan (Digital Overdrive)

--
 .~.   Dutch Security Information Network : http://www.dsinet.org
 /V\   digiover () dsinet org |  digiover () cotse com
/( )\
^^-^^