Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Glibc Local Root Exploit
From: "Thomas T. Veldhouse" <veldy () VELDY NET>
Date: Wed, 10 Jan 2001 12:31:22 -0600

This does not happen on my machine using glibc-2.2 and openssh-2.3.0p1
following your example.

Tom Veldhouse
veldy () veldy net

----- Original Message -----
From: "Charles Stevenson" <csteven () NEWHOPE TERRAPLEX COM>
Sent: Wednesday, January 10, 2001 1:06 AM
Subject: Glibc Local Root Exploit

Hi all,
  This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen,
the actual fix was a missing comma in the list of secure env vars that
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

  Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.

Best Regards,
Charles Stevenson
Software Engineer

  Terra Soft Solutions, Inc

  Yellow Dog Linux

  Black Lab Linux

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]