Bugtraq mailing list archives
Re: Glibc Local Root Exploit
From: Ben Collins <bcollins () DEBIAN ORG>
Date: Wed, 10 Jan 2001 14:22:22 -0500
On Wed, Jan 10, 2001 at 12:06:48AM -0700, Charles Stevenson wrote:
Hi all, This has been bouncing around on vuln-dev and the debian-devel lists. It effects glibc >= 2.1.9x and it would seem many if not all OSes using these versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and the actual fix was a missing comma in the list of secure env vars that were supposed to be cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from system to system but in our devel version of Yellow Dog Linux I was able to print the /etc/shadow file as a normal user in the following manner: export RESOLV_HOST_CONF=/etc/shadow ssh whatever.host.com Other programs have the same effect depending on the defaults for the system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0 (prerelease), and Debian Woody. Others have reported similar results on slackware and even "home brew[ed]" GNU/Linux.
Just a note. The latest *released* Debian (2.2, aka potato) is not vulnerable to this problem, since it uses glibc 2.1.3. Our unreleased testing and devel (aka woody and sid) dists are vulnerably, atleast today. The fixed packages are being uploaded, and should be on mirrors within 24-48 hours. Don't expect a security announcement from this on Debian, since we only do that for released distributions, which woody and sid are not. Also, to give credit where credit is due, Jakub Jelinek actually produced the patch that fixes this particular problem. I was merely stating what I knew (in the quote above). -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` bcollins () debian org -- bcollins () openldap org -- bcollins () linux com ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
Current thread:
- Glibc Local Root Exploit Charles Stevenson (Jan 10)
- Re: Glibc Local Root Exploit Thomas T. Veldhouse (Jan 10)
- Re: Glibc Local Root Exploit Ben Collins (Jan 10)
- Re: Glibc Local Root Exploit Pedro Margate (Jan 10)
- Re: Glibc Local Root Exploit Gordon Messmer (Jan 10)
- Re: Glibc Local Root Exploit Philip Rowlands (Jan 10)
- Re: Glibc Local Root Exploit Ari Saastamoinen (Jan 10)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Jerry Connolly (Jan 10)
- Veritas BackupExec (remote DoS) oh3mqu+bugtraq (Jan 15)
- Re: Glibc Local Root Exploit Joe (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
(Thread continues...)