[1067] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] RESOLV_HOST_CONF

daemon@ATHENA.MIT.EDU (Jordy)
Sun Aug 25 05:09:24 1996

Date: Sun, 25 Aug 1996 00:48:46 -0500 (CDT)
From: Jordy <jordy@newport.thirdwave.net>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.95.960820180225.500B-100000@bsx.ru>



Sigh, I don't know why, but for some reason no one has brought up the
RESOLV_HOST_CONF hack which is present in well, just about every
resolv+ library ever.

Fade In:

Resolv+ library is staticly linked to some programs such as ping, netstat,
and other network programs. It is responcible for parsing
/etc/resolv.conf, and allows you to specify a RESOLV HOST CONF file as an
enviromental variable, problem is, it is setuid when it reads the conf
file and if the conf file isn't in the correct format, it echos everything
out.

Fade Out:

This is bad ;p. A wannabe hacker could easily type:

# export RESOLV_HOST_CONF=/etc/shadow
# ping my mother wears green army boots

and get a copy of that file, worse off you could do things like

# export RESOLV_HOST_CONF=/proc/kcore
# ping life is a challage hack it up

which is known to make a machine go boom.


Fade Slightly In Once More:

Workaround (aka Bandaid patch)

modify /etc/profile and add

RESOLV_HOST_CONF=
declare -xr RESOLV_HOST_CONF


Real Patch isn't really available yet, from what i can see. You can modify
the souce to the resolv+ library and make it setuid(getuid()) first, but
that would break if /etc/resolv.conf wasn't working right, or you could
simply remove the RESOLV_HOST_CONF variable completely.


Fade Back Out One Last Time:

This should probably be posted in linux-alert. Known distributions which
are affected include Slackware 2.0, 2.1, 3.0, 3.1, Redhat 2.0 and 3.0.3
picasso.

[REW: On Picasso: My ping isn't statically linked. My ping binary and
my libc don't have the string RESOLV_HOST_CONF. My ping still opens
/etc/resolv.conf when I set this environment variable.

The proposed patch wont help a lot. chsh tcsh; Use csh syntax, or
write a program to pass a suitable environment yourself.

I'd suggest either dropping priviliges before opening the file or
simply refusing to use the environment variables when euid != uid
(like the LD_LIBRARY_xx family).

My Slackware 3.0 system is vulnerable. My ping is still not statically
linked. The version in the shared library is being called. Slackware 3.0
uses libc.so.5.0.9, while picasso has libc.so.5.2.18 . Is this the 
significant difference?]

home help back first fref pref prev next nref lref last post