Re: Glibc Local Root Exploit

[Brian <bruns () MAGENET COM>]

In bash, simplest way to discourage idiots who are going to do this is
to put the following in /etc/bashrc or /etc/profile (if you use Bash, I
dont know about tcsh or the others):

readonly RESOLV_HOST_CONF=""

Its not fool-proof, and wont last long, and definately wont stop those
intent on doing damage, but hopefully this problem will get fixed
quickly...

Brian Bruns
Valley Of The Mage Consulting
http://www.magenet.com
ICQ: 8077511

Charles Stevenson wrote:
> Hi all,
>   This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
> the actual fix was a missing comma in the list of secure env vars that were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com
>
>   Other programs have the same effect depending on the defaults for the
> system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
> (prerelease), and Debian Woody. Others have reported similar results on
> slackware and even "home brew[ed]" GNU/Linux.
>
> Best Regards,
> Charles Stevenson
> Software Engineer
>
> --
>   Terra Soft Solutions, Inc
>   http://www.terrasoftsolutions.com/
>
>   Yellow Dog Linux
>   http://www.yellowdoglinux.com/
>
>   Black Lab Linux
>   http://www.blacklablinux.com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature