[18552] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Ari Saastamoinen)
Wed Jan 10 21:59:52 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10101110135460.20701-100000@vernon.teraflops.com>
Date: Thu, 11 Jan 2001 01:42:52 +0200
Reply-To: Ari Saastamoinen <oh3mqu@VIP.FI>
From: Ari Saastamoinen <oh3mqu@VIP.FI>
X-To: Pedro Margate <pedro@ECLIPSE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSI.4.05L.10101101335100.24087-100000@mail.eclipse.net>
On Wed, 10 Jan 2001, Pedro Margate wrote:
> install the ssh binary as suid root by default. This can be disabled
> during configuration or after the fact with chmod. I believe that would
That exploit can use any suid root program which resolves host names. (For
example ping and traceroute) So you cannot fix that glibc explot only by
unsetting SUID bit of ssh client.
> every ssh installation I've performed and it seems to work the same. I'm
> not sure what reason ssh has to be suid root, nobody I've asked has any
> idea.
By default ssh client makes connection from source socket <1024, and it is
impossible without root privileges. When you run the client as non root,
source socket will be >1023, but man can disable this kind of connections
by configuring the ssh daemon.
--
Ari Saastamoinen oh3mqu+bugtraq@vip.fi
