[18587] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Matt Zimmerman)
Fri Jan 12 16:26:53 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="hxkXGo8AKqTJ+9QI"
Content-Disposition: inline
Message-ID: <20010111122745.V8682@alcor.net>
Date: Thu, 11 Jan 2001 12:27:51 -0500
Reply-To: Matt Zimmerman <mdz@CSH.RIT.EDU>
From: Matt Zimmerman <mdz@CSH.RIT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10101110135460.20701-100000@vernon.teraflops.com>;
from oh3mqu@VIP.FI on Thu, Jan 11, 2001 at 01:42:52AM +0200
--hxkXGo8AKqTJ+9QI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Jan 11, 2001 at 01:42:52AM +0200, Ari Saastamoinen wrote:
> On Wed, 10 Jan 2001, Pedro Margate wrote:
>=20
> > install the ssh binary as suid root by default. This can be disabled
> > during configuration or after the fact with chmod. I believe that would
>=20
> That exploit can use any suid root program which resolves host names. (For
> example ping and traceroute) So you cannot fix that glibc explot only by
> unsetting SUID bit of ssh client.
Or more properly, an suid root program which resolves host names _while sti=
ll
holding root privileges_. ping from netkit and traceroute from LBNL do not
fall into this category. fping from SATAN, however, does.
--=20
- mdz
--hxkXGo8AKqTJ+9QI
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6Xe0RArxCt0PiXR4RAtQ3AJ9HLTqKPaoY+fwDQg0LbjPpO+Io3ACg2R9Q
Lh4x2eh7z4cAHqnWNcnJCGA=
=BS9M
-----END PGP SIGNATURE-----
--hxkXGo8AKqTJ+9QI--
