Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Glibc Local Root Exploit

From: Joe <joe () blarg net>
Date: Wed, 10 Jan 2001 13:36:24 -0800
On Wed, 10 Jan 2001, Charles Stevenson wrote:


Hi all,
  This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com


Exploit discovered discussed and fixed circa August 1996.

Original Announcement:
http://www.securityfocus.com/templates/archive.pike?list=1&mid=5222

Discussion thread:
http://www.securityfocus.com/templates/archive.pike?end=2001-01-13&start=2001-01-07&tid=5239&threads=0&list=1&;

--
Joe                                     Technical Support
General Support:  support () blarg net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net
Previous By Date Next
Previous By Thread Next

Current thread: