OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Charles Stevenson (cstevenNEWHOPE.TERRAPLEX.COM)
Date: Wed Jan 10 2001 - 01:06:48 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi all,
      This has been bouncing around on vuln-dev and the debian-devel lists. It
    effects glibc >= 2.1.9x and it would seem many if not all OSes using these
    versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
    the actual fix was a missing comma in the list of secure env vars that were
    supposed to be cleared when a program starts up suid/sgid (including
    RESOLV_HOST_CONF)." The exploit varies from system to system but in our
    devel version of Yellow Dog Linux I was able to print the /etc/shadow file
    as a normal user in the following manner:

    export RESOLV_HOST_CONF=/etc/shadow
    ssh whatever.host.com

      Other programs have the same effect depending on the defaults for the
    system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
    (prerelease), and Debian Woody. Others have reported similar results on
    slackware and even "home brew[ed]" GNU/Linux.

    Best Regards,
    Charles Stevenson
    Software Engineer

    --
      Terra Soft Solutions, Inc
      http://www.terrasoftsolutions.com/
    

    Yellow Dog Linux http://www.yellowdoglinux.com/

    Black Lab Linux http://www.blacklablinux.com