Glibc Local Root Exploit (fwd)
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Fri Jan 12 04:14:47 EST 2001
>Hi all,
> This has been bouncing around on vuln-dev and the debian-devel
>lists. It effects glibc >= 2.1.9x and it would seem many if not all OSes
>using these versions of glibc. Ben Collins writes, "This wasn't supposed
>to happen, and the actual fix was a missing comma in the list of secure
>env vars that were supposed to be cleared when a program starts up
>suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from system
>to system but in our devel version of Yellow Dog Linux I was able to
>print the /etc/shadow file as a normal user in the following manner:
Hmm.. What a wonderful way to start my morning. I can sure confirm that
OpenSSH's ssh w/ RESOLV_HOST_CONF set to /etc/shadow works great for
pulling up passwords on Redhat 7.0/intel (glibc 2.2).
I'm guess I should be thankful I don't run a shell server.
Wonder if NSA's involvement in Linux will improve it. <sigh>
- Ben
More information about the openssh-unix-dev
mailing list