Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Glibc Local Root Exploit
From: Ben Collins <bcollins () DEBIAN ORG>
Date: Wed, 10 Jan 2001 14:22:22 -0500

On Wed, Jan 10, 2001 at 12:06:48AM -0700, Charles Stevenson wrote:
Hi all,
  This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

  Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.

Just a note. The latest *released* Debian (2.2, aka potato) is not
vulnerable to this problem, since it uses glibc 2.1.3. Our unreleased
testing and devel (aka woody and sid) dists are vulnerably, atleast
today. The fixed packages are being uploaded, and should be on mirrors
within 24-48 hours.

Don't expect a security announcement from this on Debian, since we only
do that for released distributions, which woody and sid are not.

Also, to give credit where credit is due, Jakub Jelinek actually
produced the patch that fixes this particular problem. I was merely
stating what I knew (in the quote above).

/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins () debian org  --  bcollins () openldap org  --  bcollins () linux com  '

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]