[18544] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Brian)
Wed Jan 10 21:24:10 2001
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms48C35039E4349EE609DF62E0"
Message-Id: <3A5CCCAF.9184F64A@magenet.com>
Date: Wed, 10 Jan 2001 15:57:19 -0500
Reply-To: Brian <bruns@MAGENET.COM>
From: Brian <bruns@MAGENET.COM>
X-To: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a cryptographically signed message in MIME format.
--------------ms48C35039E4349EE609DF62E0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
In bash, simplest way to discourage idiots who are going to do this is
to put the following in /etc/bashrc or /etc/profile (if you use Bash, I
dont know about tcsh or the others):
readonly RESOLV_HOST_CONF=""
Its not fool-proof, and wont last long, and definately wont stop those
intent on doing damage, but hopefully this problem will get fixed
quickly...
Brian Bruns
Valley Of The Mage Consulting
http://www.magenet.com
ICQ: 8077511
Charles Stevenson wrote:
>
> Hi all,
> This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
> the actual fix was a missing comma in the list of secure env vars that were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com
>
> Other programs have the same effect depending on the defaults for the
> system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
> (prerelease), and Debian Woody. Others have reported similar results on
> slackware and even "home brew[ed]" GNU/Linux.
>
> Best Regards,
> Charles Stevenson
> Software Engineer
>
> --
> Terra Soft Solutions, Inc
> http://www.terrasoftsolutions.com/
>
> Yellow Dog Linux
> http://www.yellowdoglinux.com/
>
> Black Lab Linux
> http://www.blacklablinux.com
--------------ms48C35039E4349EE609DF62E0
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIIICQYJKoZIhvcNAQcCoIIH+jCCB/YCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BdwwggKrMIICFKADAgECAgMD4uYwDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUw
EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh
d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg
RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMTAxMDEyMzUxMzFaFw0wMjAxMDEyMzUxMzFa
MGIxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxIDAeBgkqhkiG9w0BCQEWEWJy
dW5zQG1hZ2VuZXQuY29tMR0wGwYJKoZIhvcNAQkBFg5icnVuc0B2ZG90Lm5ldDCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAuI4TO7WwHWjc1JL17cPWfgVQTAzY977+MMj949wdhoif
lmdAF+rQ3IVMcDtIE5H02M+zx1Ml8Fq2Hc/+nmZOlWUd2o6S4lAxC2LvtXI58TCizzqFGwUp
yDmUQQSPoQTDnpkrALwKseZLw0SCI96Hi3CftJXOclpvKGcSX0DWBtMCAwEAAaM+MDwwLAYD
VR0RBCUwI4ERYnJ1bnNAbWFnZW5ldC5jb22BDmJydW5zQHZkb3QubmV0MAwGA1UdEwEB/wQC
MAAwDQYJKoZIhvcNAQEEBQADgYEASwb4FVI9JpBGfc+zQDY2qALXb0xs3M23p/LRe4txP3oM
KWafiN1Id5efYtBo53D2JjwPRK1tvyhRqapeL2+uEX0og45l5O4C6H17ZTgiaX0S8X/E63bA
cjj8dPgUMRsMs6OgS3UCBj1YGgWHzE5eBrfewVIxpSUGRtyvrZV3OGowggMpMIICkqADAgEC
AgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgw
JgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3
dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVt
YWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCBkjELMAkG
A1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8w
DQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD
Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5
NHGgo22Y8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQ
UYeDPPA5tJtUihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEa
MBgGA1UEAxMRUHJpdmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E
BAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQf
uIdjdBxtt88aU5FL4c3mONntUPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe1
7BzX7xe21Yibt6KIGu05Wzl9NPy2lhglTWr0ncXDkS+plrgFPFL83eliA0gxggH1MIIB8QIB
ATCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp
Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMD4uYwCQYF
Kw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w
MTAxMTAyMDU3MTlaMCMGCSqGSIb3DQEJBDEWBBTUkZnsn9YQ3BDCcZ90w1lecoec1DBSBgkq
hkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggq
hkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgJoGYvAlqgDNRlz/
S4GUMO3EvsgNhNfZQ9/PQSjAvK8EOnznltKe/MPMAe0S+s/XzwUuHfuwbjk4zekFYci6xHHQ
2uGedI49E79TzEpLAZWon8OpsCXflIw69bm7BCvXy01QTVk4wHoIN75D6ZFdfGZjU0aKLOiu
tyRT0+2l0iqs
--------------ms48C35039E4349EE609DF62E0--
