Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Glibc Local Root Exploit
From: Charles Stevenson <csteven () NEWHOPE TERRAPLEX COM>
Date: Wed, 10 Jan 2001 16:07:13 -0700

on 1/10/01 1:34 PM, KraZee . at krazee () lycos com wrote:

Hello, I run a few slackware boxes and I've tested this vulnerability. Is
there a patch? I haven't seen any vendor patches for this problem yet. I'm
also wondering if this hole is only limited to suids that use environmental
variables (ssh?), the reason I ask is because I was only able to duplicate the
bug by running ssh as root, since its not suid on my systems it didnt read
/etc/shadow. Thanks and I look forward to your reply.

In resolv/res_hconf.c, in the function _res_hconf_init, replace the getenv
call for ENVHOST iirc, (#define for RESOLV_HOST_CONF), with __secure_getenv.

Also I would like to say thanks to Jakub Jelinek as Ben Collins pointed out
my error.

New packages for Yellow Dog 2.0 prerelease, for those of you testing should
be in ruffpack very soon now. In the mean time I would suggest changing the
permissions on all suid/sgid binaries that do host name lookups. Or some of
the other fine suggestions that have been posted. As has been pointed out
this is an old bug that was fixed and has come back.

Charles Stevenson

- Mark

On Wed, 10 Jan 2001 00:06:48
Charles Stevenson wrote:
Hi all,
This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.

Best Regards,
Charles Stevenson
Software Engineer

Terra Soft Solutions, Inc

Yellow Dog Linux

Black Lab Linux

Get FREE Email/Voicemail with 15MB at Lycos Communications at

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]