Bugtraq mailing list archives
Re: Glibc Local Root Exploit
From: Charles Stevenson <csteven () NEWHOPE TERRAPLEX COM>
Date: Wed, 10 Jan 2001 16:07:13 -0700
on 1/10/01 1:34 PM, KraZee . at krazee () lycos com wrote:
Hello, I run a few slackware boxes and I've tested this vulnerability. Is there a patch? I haven't seen any vendor patches for this problem yet. I'm also wondering if this hole is only limited to suids that use environmental variables (ssh?), the reason I ask is because I was only able to duplicate the bug by running ssh as root, since its not suid on my systems it didnt read /etc/shadow. Thanks and I look forward to your reply.
In resolv/res_hconf.c, in the function _res_hconf_init, replace the getenv call for ENVHOST iirc, (#define for RESOLV_HOST_CONF), with __secure_getenv. Also I would like to say thanks to Jakub Jelinek as Ben Collins pointed out my error. New packages for Yellow Dog 2.0 prerelease, for those of you testing should be in ruffpack very soon now. In the mean time I would suggest changing the permissions on all suid/sgid binaries that do host name lookups. Or some of the other fine suggestions that have been posted. As has been pointed out this is an old bug that was fixed and has come back. Cheers, Charles Stevenson
- Mark -- On Wed, 10 Jan 2001 00:06:48 Charles Stevenson wrote:Hi all, This has been bouncing around on vuln-dev and the debian-devel lists. It effects glibc >= 2.1.9x and it would seem many if not all OSes using these versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and the actual fix was a missing comma in the list of secure env vars that were supposed to be cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from system to system but in our devel version of Yellow Dog Linux I was able to print the /etc/shadow file as a normal user in the following manner: export RESOLV_HOST_CONF=/etc/shadow ssh whatever.host.com Other programs have the same effect depending on the defaults for the system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0 (prerelease), and Debian Woody. Others have reported similar results on slackware and even "home brew[ed]" GNU/Linux. Best Regards, Charles Stevenson Software Engineer -- Terra Soft Solutions, Inc http://www.terrasoftsolutions.com/ Yellow Dog Linux http://www.yellowdoglinux.com/ Black Lab Linux http://www.blacklablinux.comGet FREE Email/Voicemail with 15MB at Lycos Communications at http://comm.lycos.com
Current thread:
- Re: Glibc Local Root Exploit, (continued)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Jerry Connolly (Jan 10)
- Veritas BackupExec (remote DoS) oh3mqu+bugtraq (Jan 15)
- Re: Glibc Local Root Exploit Joe (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Brian (Jan 10)
- Re: Glibc Local Root Exploit Ben Greenbaum (Jan 10)
- Re: Glibc Local Root Exploit Simon Cozens (Jan 12)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Charles Stevenson (Jan 10)