Glibc Local Root Exploit (fwd)

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Fri Jan 12 04:14:47 EST 2001


>Hi all,                                                                    
>  This has been bouncing around on vuln-dev and the debian-devel
>lists. It effects glibc >= 2.1.9x and it would seem many if not all OSes
>using these versions of glibc. Ben Collins writes, "This wasn't supposed
>to happen, and the actual fix was a missing comma in the list of secure
>env vars that were supposed to be cleared when a program starts up
>suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from system
>to system but in our devel version of Yellow Dog Linux I was able to
>print the /etc/shadow file  as a normal user in the following manner:

Hmm.. What a wonderful way to start my morning.  I can sure confirm that
OpenSSH's ssh w/ RESOLV_HOST_CONF set to /etc/shadow works great for
pulling up passwords on Redhat 7.0/intel (glibc 2.2).

I'm guess I should be thankful I don't run a shell server.

Wonder if NSA's involvement in Linux will improve it. <sigh>

- Ben






More information about the openssh-unix-dev mailing list