[18541] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Joe)
Wed Jan 10 21:11:10 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.95.1010110133348.17281A-100000@animal.blarg.net>
Date: Wed, 10 Jan 2001 13:36:24 -0800
Reply-To: joe@blarg.net
From: Joe <joe@BLARG.NET>
X-To: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <B6815818.E3F%csteven@newhope.terraplex.com>
On Wed, 10 Jan 2001, Charles Stevenson wrote:
> Hi all,
> This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
> the actual fix was a missing comma in the list of secure env vars that were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com
Exploit discovered discussed and fixed circa August 1996.
Original Announcement:
http://www.securityfocus.com/templates/archive.pike?list=1&mid=5222
Discussion thread:
http://www.securityfocus.com/templates/archive.pike?end=2001-01-13&start=2001-01-07&tid=5239&threads=0&list=1&
--
Joe Technical Support
General Support: support@blarg.net Blarg! Online Services, Inc.
Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
