[3203] in bugtraq
Re: libresolv+ bug
daemon@ATHENA.MIT.EDU (Jon Lewis)
Sun Aug 18 19:26:41 1996
Date: Sun, 18 Aug 1996 18:02:26 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.91.960818160211.277B-100000@tcpip>
On Sun, 18 Aug 1996, Brian Mitchell wrote:
> On Sun, 18 Aug 1996, Theo Van Dinter wrote:
>
> > In response to the libresolv+ hole ... I'm sure there's a better/more
> > encompassing/cleaner method of fixing it, but here's my patch for ping (I
> > have the Netkit-B-0.07A source for ping (linux)... It just switches the
> > effective uid to nobody (default 65534) around a certain gethostbyname ...
> > This fixed the problem as far as I can tell on my system...
I'm no expert in this...but I'm trying. Why setuid to nobody, why is
your nobody 65534, and why hard code that uid??
> What about using unsetenv() to remove the vile variables from the
> environment at the beginning of the program.
>
> Of course, this all needs to be in libc, kludging your way around ping,
> rlogin, traceroute, and especially ssh is not a good thing.
I also patched NetKit-B-0.07A (ping, rcp, rsh, rlogin) and traceroute
last night such that they seteuid(getuid()) as line 1 of main() and then
do a setuid(0) just before function calls that need root, and
seteuid(getuid()) immediately after those calls. This sort of thing
should probably have been done in the first place.
I then found that other things, like sendmail, have the same hole, and
started looking into hacking libc...but found it much easier to add
RESOLV_HOST_CONF as one of the forbidden env variables for suid programs
in ld.so and ld-linux.so. It seems to me to be a sort of bandaid
solution...but looks good enough for the short term.
I sent my patches off to the NetKit-B maintainer, and have them installed
on several systems.
BTW...unified diffs are much nicer to look at.
Was this just a Linux problem, or are other OS's vulnerable in the same
way? Our FreeBSD box didn't seem vulnerable.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______
