Glibc Local Root Exploit (fwd)
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Fri Jan 12 04:41:36 EST 2001
On Thu, 11 Jan 2001, Pekka Savola wrote:
> On Thu, 11 Jan 2001 mouring at etoh.eviladmin.org wrote:
> > Hmm.. What a wonderful way to start my morning. I can sure confirm that
> > OpenSSH's ssh w/ RESOLV_HOST_CONF set to /etc/shadow works great for
> > pulling up passwords on Redhat 7.0/intel (glibc 2.2).
> >
> > I'm guess I should be thankful I don't run a shell server.
> >
> > Wonder if NSA's involvement in Linux will improve it. <sigh>
>
> Luckily enough this isn't OpenSSH specific; you can do this with ~any
> setuid application that doesn't drop privileges soon enough.
>
> However, ping and traceroute in RHL7 do though.
>
<nod> I was just skimming bugtraq on the topic.. Which begs to have two
questions brought up.
1) What reason stops us from requiring ./configure --with-suid and have
it be non-suid by default? (I guess the question that has to be asked..
'Is it worth emulating rsh/rlogin/etc out of the box now days?')
2) Where is the correct 'sweet' spot to drop priviledge to stop this type
of attack (Assuming there is such a spot for every OS).
- Ben
More information about the openssh-unix-dev
mailing list