[18535] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Thomas T. Veldhouse)
Wed Jan 10 16:50:36 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <011d01c07b33$88e288f0$3028680a@tgt.com>
Date: Wed, 10 Jan 2001 12:31:22 -0600
Reply-To: "Thomas T. Veldhouse" <veldy@VELDY.NET>
From: "Thomas T. Veldhouse" <veldy@VELDY.NET>
X-To: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This does not happen on my machine using glibc-2.2 and openssh-2.3.0p1
following your example.
Tom Veldhouse
veldy@veldy.net
----- Original Message -----
From: "Charles Stevenson" <csteven@NEWHOPE.TERRAPLEX.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Wednesday, January 10, 2001 1:06 AM
Subject: Glibc Local Root Exploit
> Hi all,
> This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen,
and
> the actual fix was a missing comma in the list of secure env vars that
were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com
>
> Other programs have the same effect depending on the defaults for the
> system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
> (prerelease), and Debian Woody. Others have reported similar results on
> slackware and even "home brew[ed]" GNU/Linux.
>
> Best Regards,
> Charles Stevenson
> Software Engineer
>
> --
> Terra Soft Solutions, Inc
> http://www.terrasoftsolutions.com/
>
> Yellow Dog Linux
> http://www.yellowdoglinux.com/
>
> Black Lab Linux
> http://www.blacklablinux.com
>
