Re: Glibc Local Root Exploit

[Pedro Margate <pedro () ECLIPSE NET>]

Greetings,

The implementations of ssh that I'm familiar with (ssh and OpenSSH)
install the ssh binary as suid root by default.  This can be disabled
during configuration or after the fact with chmod.  I believe that would
prevent this exploit from operating.  I've turned off the suid bit on
every ssh installation I've performed and it seems to work the same.  I'm
not sure what reason ssh has to be suid root, nobody I've asked has any
idea.

Regards,
Pedro

On Wed, 10 Jan 2001, Charles Stevenson wrote:

> Hi all,
>   This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
> the actual fix was a missing comma in the list of secure env vars that were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com
>
>   Other programs have the same effect depending on the defaults for the
> system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
> (prerelease), and Debian Woody. Others have reported similar results on
> slackware and even "home brew[ed]" GNU/Linux.
>
> Best Regards,
> Charles Stevenson
> Software Engineer
>
> --
>   Terra Soft Solutions, Inc
>   http://www.terrasoftsolutions.com/
>
>   Yellow Dog Linux
>   http://www.yellowdoglinux.com/
>
>   Black Lab Linux
>   http://www.blacklablinux.com