Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Glibc Local Root Exploit
From: Pedro Margate <pedro () ECLIPSE NET>
Date: Wed, 10 Jan 2001 13:40:39 -0500

Greetings,

The implementations of ssh that I'm familiar with (ssh and OpenSSH)
install the ssh binary as suid root by default.  This can be disabled
during configuration or after the fact with chmod.  I believe that would
prevent this exploit from operating.  I've turned off the suid bit on
every ssh installation I've performed and it seems to work the same.  I'm
not sure what reason ssh has to be suid root, nobody I've asked has any
idea.

Regards,
Pedro

On Wed, 10 Jan 2001, Charles Stevenson wrote:

Hi all,
  This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

  Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.

Best Regards,
Charles Stevenson
Software Engineer

--
  Terra Soft Solutions, Inc
  http://www.terrasoftsolutions.com/

  Yellow Dog Linux
  http://www.yellowdoglinux.com/

  Black Lab Linux
  http://www.blacklablinux.com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]