Bugtraq mailing list archives
Re: Glibc Local Root Exploit
From: Brian <bruns () MAGENET COM>
Date: Wed, 10 Jan 2001 15:57:19 -0500
In bash, simplest way to discourage idiots who are going to do this is to put the following in /etc/bashrc or /etc/profile (if you use Bash, I dont know about tcsh or the others): readonly RESOLV_HOST_CONF="" Its not fool-proof, and wont last long, and definately wont stop those intent on doing damage, but hopefully this problem will get fixed quickly... Brian Bruns Valley Of The Mage Consulting http://www.magenet.com ICQ: 8077511 Charles Stevenson wrote:
Hi all, This has been bouncing around on vuln-dev and the debian-devel lists. It effects glibc >= 2.1.9x and it would seem many if not all OSes using these versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and the actual fix was a missing comma in the list of secure env vars that were supposed to be cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from system to system but in our devel version of Yellow Dog Linux I was able to print the /etc/shadow file as a normal user in the following manner: export RESOLV_HOST_CONF=/etc/shadow ssh whatever.host.com Other programs have the same effect depending on the defaults for the system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0 (prerelease), and Debian Woody. Others have reported similar results on slackware and even "home brew[ed]" GNU/Linux. Best Regards, Charles Stevenson Software Engineer -- Terra Soft Solutions, Inc http://www.terrasoftsolutions.com/ Yellow Dog Linux http://www.yellowdoglinux.com/ Black Lab Linux http://www.blacklablinux.com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Glibc Local Root Exploit, (continued)
- Re: Glibc Local Root Exploit Pedro Margate (Jan 10)
- Re: Glibc Local Root Exploit Gordon Messmer (Jan 10)
- Re: Glibc Local Root Exploit Philip Rowlands (Jan 10)
- Re: Glibc Local Root Exploit Ari Saastamoinen (Jan 10)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Jerry Connolly (Jan 10)
- Veritas BackupExec (remote DoS) oh3mqu+bugtraq (Jan 15)
- Re: Glibc Local Root Exploit Joe (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Brian (Jan 10)
- Re: Glibc Local Root Exploit Ben Greenbaum (Jan 10)
- Re: Glibc Local Root Exploit Simon Cozens (Jan 12)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Charles Stevenson (Jan 10)
- Re: Glibc Local Root Exploit Pedro Margate (Jan 10)