Bugtraq mailing list archives

Re: Glibc Local Root Exploit

From: Charles Stevenson <csteven () NEWHOPE TERRAPLEX COM>
Date: Wed, 10 Jan 2001 16:07:13 -0700

on 1/10/01 1:34 PM, KraZee . at krazee () lycos com wrote:

Hello, I run a few slackware boxes and I've tested this vulnerability. Is
there a patch? I haven't seen any vendor patches for this problem yet. I'm
also wondering if this hole is only limited to suids that use environmental
variables (ssh?), the reason I ask is because I was only able to duplicate the
bug by running ssh as root, since its not suid on my systems it didnt read
/etc/shadow. Thanks and I look forward to your reply.


In resolv/res_hconf.c, in the function _res_hconf_init, replace the getenv
call for ENVHOST iirc, (#define for RESOLV_HOST_CONF), with __secure_getenv.

Also I would like to say thanks to Jakub Jelinek as Ben Collins pointed out
my error.

New packages for Yellow Dog 2.0 prerelease, for those of you testing should
be in ruffpack very soon now. In the mean time I would suggest changing the
permissions on all suid/sgid binaries that do host name lookups. Or some of
the other fine suggestions that have been posted. As has been pointed out
this is an old bug that was fixed and has come back.



Cheers,
Charles Stevenson

- Mark
--

On Wed, 10 Jan 2001 00:06:48
Charles Stevenson wrote:

Hi all,
This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.

Best Regards,
Charles Stevenson
Software Engineer

--
Terra Soft Solutions, Inc
http://www.terrasoftsolutions.com/

Yellow Dog Linux
http://www.yellowdoglinux.com/

Black Lab Linux
http://www.blacklablinux.com



Get FREE Email/Voicemail with 15MB at Lycos Communications at
http://comm.lycos.com

Current thread:

Re: Glibc Local Root Exploit, (continued)
- - - Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
  - Re: Glibc Local Root Exploit Jerry Connolly (Jan 10)
  - Veritas BackupExec (remote DoS) oh3mqu+bugtraq (Jan 15)
- Re: Glibc Local Root Exploit Joe (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Brian (Jan 10)
- Re: Glibc Local Root Exploit Ben Greenbaum (Jan 10)
  - Re: Glibc Local Root Exploit Simon Cozens (Jan 12)
  - Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Charles Stevenson (Jan 10)