Bugtraq mailing list archives
Re: Glibc Local Root Exploit
From: Pedro Margate <pedro () ECLIPSE NET>
Date: Wed, 10 Jan 2001 13:40:39 -0500
Greetings, The implementations of ssh that I'm familiar with (ssh and OpenSSH) install the ssh binary as suid root by default. This can be disabled during configuration or after the fact with chmod. I believe that would prevent this exploit from operating. I've turned off the suid bit on every ssh installation I've performed and it seems to work the same. I'm not sure what reason ssh has to be suid root, nobody I've asked has any idea. Regards, Pedro On Wed, 10 Jan 2001, Charles Stevenson wrote:
Hi all, This has been bouncing around on vuln-dev and the debian-devel lists. It effects glibc >= 2.1.9x and it would seem many if not all OSes using these versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and the actual fix was a missing comma in the list of secure env vars that were supposed to be cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from system to system but in our devel version of Yellow Dog Linux I was able to print the /etc/shadow file as a normal user in the following manner: export RESOLV_HOST_CONF=/etc/shadow ssh whatever.host.com Other programs have the same effect depending on the defaults for the system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0 (prerelease), and Debian Woody. Others have reported similar results on slackware and even "home brew[ed]" GNU/Linux. Best Regards, Charles Stevenson Software Engineer -- Terra Soft Solutions, Inc http://www.terrasoftsolutions.com/ Yellow Dog Linux http://www.yellowdoglinux.com/ Black Lab Linux http://www.blacklablinux.com
Current thread:
- Glibc Local Root Exploit Charles Stevenson (Jan 10)
- Re: Glibc Local Root Exploit Thomas T. Veldhouse (Jan 10)
- Re: Glibc Local Root Exploit Ben Collins (Jan 10)
- Re: Glibc Local Root Exploit Pedro Margate (Jan 10)
- Re: Glibc Local Root Exploit Gordon Messmer (Jan 10)
- Re: Glibc Local Root Exploit Philip Rowlands (Jan 10)
- Re: Glibc Local Root Exploit Ari Saastamoinen (Jan 10)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Jerry Connolly (Jan 10)
- Veritas BackupExec (remote DoS) oh3mqu+bugtraq (Jan 15)
- Re: Glibc Local Root Exploit Joe (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Brian (Jan 10)
(Thread continues...)