[18551] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Charles Stevenson)
Wed Jan 10 21:46:33 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-Id: <B6823931.E9C%csteven@newhope.terraplex.com>
Date: Wed, 10 Jan 2001 16:07:13 -0700
Reply-To: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
From: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <PBFCPMIHNKJEGAAA@mailcity.com>
on 1/10/01 1:34 PM, KraZee . at krazee@lycos.com wrote:
> Hello, I run a few slackware boxes and I've tested this vulnerability. Is
> there a patch? I haven't seen any vendor patches for this problem yet. I'm
> also wondering if this hole is only limited to suids that use environmental
> variables (ssh?), the reason I ask is because I was only able to duplicate the
> bug by running ssh as root, since its not suid on my systems it didnt read
> /etc/shadow. Thanks and I look forward to your reply.
In resolv/res_hconf.c, in the function _res_hconf_init, replace the getenv
call for ENVHOST iirc, (#define for RESOLV_HOST_CONF), with __secure_getenv.
Also I would like to say thanks to Jakub Jelinek as Ben Collins pointed out
my error.
New packages for Yellow Dog 2.0 prerelease, for those of you testing should
be in ruffpack very soon now. In the mean time I would suggest changing the
permissions on all suid/sgid binaries that do host name lookups. Or some of
the other fine suggestions that have been posted. As has been pointed out
this is an old bug that was fixed and has come back.
Cheers,
Charles Stevenson
> - Mark
> --
>
> On Wed, 10 Jan 2001 00:06:48
> Charles Stevenson wrote:
>> Hi all,
>> This has been bouncing around on vuln-dev and the debian-devel lists. It
>> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
>> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
>> the actual fix was a missing comma in the list of secure env vars that were
>> supposed to be cleared when a program starts up suid/sgid (including
>> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
>> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
>> as a normal user in the following manner:
>>
>> export RESOLV_HOST_CONF=/etc/shadow
>> ssh whatever.host.com
>>
>> Other programs have the same effect depending on the defaults for the
>> system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
>> (prerelease), and Debian Woody. Others have reported similar results on
>> slackware and even "home brew[ed]" GNU/Linux.
>>
>> Best Regards,
>> Charles Stevenson
>> Software Engineer
>>
>> --
>> Terra Soft Solutions, Inc
>> http://www.terrasoftsolutions.com/
>>
>> Yellow Dog Linux
>> http://www.yellowdoglinux.com/
>>
>> Black Lab Linux
>> http://www.blacklablinux.com
>>
>
>
> Get FREE Email/Voicemail with 15MB at Lycos Communications at
> http://comm.lycos.com
