Glibc Local Root Exploit (Redhat Annoucement)
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Sat Jan 13 03:49:26 EST 2001
I know most of you don't care.. but this looks like the full description
of the glibc issue with redhat updates.
1. Topic:
A couple of bugs in GNU C library 2.2 allow unpriviledged user to read
restricted files and preload libraries in /lib and /usr/lib directories
into SUID programs even if those libraries have not been marked as such by
system administrator.
2. Relevant releases/architectures:
Red Hat Linux 7.0 - alpha, alphaev6, i386, i686
3. Problem description:
Because of a typo in glibc source RESOLV_HOST_CONF and RES_OPTIONS
variables were not removed from environment for SUID/SGID
programs. LD_PRELOAD variable is honoured normally even for SUID/SGID
applications (but removed afterwards from environment) if it does not
contain `/' characters, but there is a special check which only preloads
found libraries if they have the SUID bit set. If a library has been found
in /etc/ld.so.cache this check was not done though, so malicious user
could preload some /lib or /usr/lib library before SUID/SGID application
and e.g. create or overwrite a file he did not have permissions to.
[..snip everything else that is not required..]
Complete Report at:
http://linuxtoday.com/news_story.php3?ltsn=2001-01-11-020-04-SC-RH
More information about the openssh-unix-dev
mailing list