Bugtraq mailing list archives

Re: libresolv+ bug

From: jlewis () inorganic5 fdt net (Jon Lewis)
Date: Sun, 18 Aug 1996 18:02:26 -0400


On Sun, 18 Aug 1996, Brian Mitchell wrote:

On Sun, 18 Aug 1996, Theo Van Dinter wrote:

In response to the libresolv+ hole ...  I'm sure there's a better/more
encompassing/cleaner method of fixing it, but here's my patch for ping (I
have the Netkit-B-0.07A source for ping (linux)...  It just switches the
effective uid to nobody (default 65534) around a certain gethostbyname ...
This fixed the problem as far as I can tell on my system...


I'm no expert in this...but I'm trying.  Why setuid to nobody, why is
your nobody 65534, and why hard code that uid??

What about using unsetenv() to remove the vile variables from the
environment at the beginning of the program.

Of course, this all needs to be in libc, kludging your way around ping,
rlogin, traceroute, and especially ssh is not a good thing.


I also patched NetKit-B-0.07A (ping, rcp, rsh, rlogin) and traceroute
last night such that they seteuid(getuid()) as line 1 of main() and then
do a setuid(0) just before function calls that need root, and
seteuid(getuid()) immediately after those calls.  This sort of thing
should probably have been done in the first place.

I then found that other things, like sendmail, have the same hole, and
started looking into hacking libc...but found it much easier to add
RESOLV_HOST_CONF as one of the forbidden env variables for suid programs
in ld.so and ld-linux.so.  It seems to me to be a sort of bandaid
solution...but looks good enough for the short term.

I sent my patches off to the NetKit-B maintainer, and have them installed
on several systems.

BTW...unified diffs are much nicer to look at.

Was this just a Linux problem, or are other OS's vulnerable in the same
way?  Our FreeBSD box didn't seem vulnerable.

------------------------------------------------------------------
 Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/hr.
________Finger jlewis () inorganic5 fdt net for PGP public key_______

Current thread:

Re: Possible bufferoverflow condition in lpr, xterm and xload, (continued)
- - - Re: Possible bufferoverflow condition in lpr, xterm and xload Digital Dreamer (Aug 12)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Casper Dik (Aug 13)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Mike Acar (Aug 13)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Elliot Lee (Aug 13)
    - why suid mount (was Re: Possible bufferoverflow condition in lpr, Bryan Reece (Aug 13)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Christopher Masto (Aug 14)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Brian Tao (Aug 15)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload *Unknown* (Aug 17)
    - Re: libresolv+ bug Theo Van Dinter (Aug 17)
    - Re: libresolv+ bug Brian Mitchell (Aug 18)
    - Re: libresolv+ bug Jon Lewis (Aug 18)
    - Re: libresolv+ bug Alan Cox (Aug 19)
    - libresolv Xarthon (Aug 18)
    - Re: libresolv Xarthon (Aug 18)
    - Re: libresolv+ bug Nelson Murilo (Aug 18)
    - Re: libresolv+ bug Brian Mitchell (Aug 18)
    - Re: libresolv+ bug Casper Dik (Aug 19)
    - Re: libresolv+ bug Alan Cox (Aug 19)
    - Re: libresolv+ bug Brian Mitchell (Aug 19)
    - Re: libresolv+ bug David Holland (Aug 19)
    - Re: libresolv+ bug Alan Cox (Aug 19)

(Thread continues...)