[1067] in linux-security and linux-alert archive
[linux-security] RESOLV_HOST_CONF
daemon@ATHENA.MIT.EDU (Jordy)
Sun Aug 25 05:09:24 1996
Date: Sun, 25 Aug 1996 00:48:46 -0500 (CDT)
From: Jordy <jordy@newport.thirdwave.net>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.95.960820180225.500B-100000@bsx.ru>
Sigh, I don't know why, but for some reason no one has brought up the
RESOLV_HOST_CONF hack which is present in well, just about every
resolv+ library ever.
Fade In:
Resolv+ library is staticly linked to some programs such as ping, netstat,
and other network programs. It is responcible for parsing
/etc/resolv.conf, and allows you to specify a RESOLV HOST CONF file as an
enviromental variable, problem is, it is setuid when it reads the conf
file and if the conf file isn't in the correct format, it echos everything
out.
Fade Out:
This is bad ;p. A wannabe hacker could easily type:
# export RESOLV_HOST_CONF=/etc/shadow
# ping my mother wears green army boots
and get a copy of that file, worse off you could do things like
# export RESOLV_HOST_CONF=/proc/kcore
# ping life is a challage hack it up
which is known to make a machine go boom.
Fade Slightly In Once More:
Workaround (aka Bandaid patch)
modify /etc/profile and add
RESOLV_HOST_CONF=
declare -xr RESOLV_HOST_CONF
Real Patch isn't really available yet, from what i can see. You can modify
the souce to the resolv+ library and make it setuid(getuid()) first, but
that would break if /etc/resolv.conf wasn't working right, or you could
simply remove the RESOLV_HOST_CONF variable completely.
Fade Back Out One Last Time:
This should probably be posted in linux-alert. Known distributions which
are affected include Slackware 2.0, 2.1, 3.0, 3.1, Redhat 2.0 and 3.0.3
picasso.
[REW: On Picasso: My ping isn't statically linked. My ping binary and
my libc don't have the string RESOLV_HOST_CONF. My ping still opens
/etc/resolv.conf when I set this environment variable.
The proposed patch wont help a lot. chsh tcsh; Use csh syntax, or
write a program to pass a suitable environment yourself.
I'd suggest either dropping priviliges before opening the file or
simply refusing to use the environment variables when euid != uid
(like the LD_LIBRARY_xx family).
My Slackware 3.0 system is vulnerable. My ping is still not statically
linked. The version in the shared library is being called. Slackware 3.0
uses libc.so.5.0.9, while picasso has libc.so.5.2.18 . Is this the
significant difference?]