Bugtraq mailing list archives
Re: libresolv+ bug
From: jlewis () inorganic5 fdt net (Jon Lewis)
Date: Sun, 18 Aug 1996 18:02:26 -0400
On Sun, 18 Aug 1996, Brian Mitchell wrote:
On Sun, 18 Aug 1996, Theo Van Dinter wrote:In response to the libresolv+ hole ... I'm sure there's a better/more encompassing/cleaner method of fixing it, but here's my patch for ping (I have the Netkit-B-0.07A source for ping (linux)... It just switches the effective uid to nobody (default 65534) around a certain gethostbyname ... This fixed the problem as far as I can tell on my system...
I'm no expert in this...but I'm trying. Why setuid to nobody, why is your nobody 65534, and why hard code that uid??
What about using unsetenv() to remove the vile variables from the environment at the beginning of the program. Of course, this all needs to be in libc, kludging your way around ping, rlogin, traceroute, and especially ssh is not a good thing.
I also patched NetKit-B-0.07A (ping, rcp, rsh, rlogin) and traceroute last night such that they seteuid(getuid()) as line 1 of main() and then do a setuid(0) just before function calls that need root, and seteuid(getuid()) immediately after those calls. This sort of thing should probably have been done in the first place. I then found that other things, like sendmail, have the same hole, and started looking into hacking libc...but found it much easier to add RESOLV_HOST_CONF as one of the forbidden env variables for suid programs in ld.so and ld-linux.so. It seems to me to be a sort of bandaid solution...but looks good enough for the short term. I sent my patches off to the NetKit-B maintainer, and have them installed on several systems. BTW...unified diffs are much nicer to look at. Was this just a Linux problem, or are other OS's vulnerable in the same way? Our FreeBSD box didn't seem vulnerable. ------------------------------------------------------------------ Jon Lewis <jlewis () fdt net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/hr. ________Finger jlewis () inorganic5 fdt net for PGP public key_______
Current thread:
- Re: Possible bufferoverflow condition in lpr, xterm and xload, (continued)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Digital Dreamer (Aug 12)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Casper Dik (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Mike Acar (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Elliot Lee (Aug 13)
- why suid mount (was Re: Possible bufferoverflow condition in lpr, Bryan Reece (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Christopher Masto (Aug 14)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Brian Tao (Aug 15)
- Re: Possible bufferoverflow condition in lpr, xterm and xload *Unknown* (Aug 17)
- Re: libresolv+ bug Theo Van Dinter (Aug 17)
- Re: libresolv+ bug Brian Mitchell (Aug 18)
- Re: libresolv+ bug Jon Lewis (Aug 18)
- Re: libresolv+ bug Alan Cox (Aug 19)
- libresolv Xarthon (Aug 18)
- Re: libresolv Xarthon (Aug 18)
- Re: libresolv+ bug Nelson Murilo (Aug 18)
- Re: libresolv+ bug Brian Mitchell (Aug 18)
- Re: libresolv+ bug Casper Dik (Aug 19)
- Re: libresolv+ bug Alan Cox (Aug 19)
- Re: libresolv+ bug Brian Mitchell (Aug 19)
- Re: libresolv+ bug David Holland (Aug 19)
- Re: libresolv+ bug Alan Cox (Aug 19)