'export RESOLV_HOST_CONF= any file you want' local vulnerability

To: <security@debian.org>, <debian-security@lists.debian.org>
Subject: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
From: thomas lakofski <thomas@88.net>
Date: Mon, 8 Jan 2001 13:34:52 +0000 (GMT)
Message-id: <[🔎] Pine.LNX.4.31.0101081331280.20955-100000@io.88.net>

Hi,

A friend of mine just tried this against my unstable box and successfully
obtained the contents of /etc/shadow.

I imagine that this is a problem in libc -- I'll leave it to
security@debian.org to file bug reports.

cheers,

Thomas

-- 
          who's watching your watchmen?
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4  F053 4AE5 01DF 81FD 4B43

---------- Forwarded message ----------
From: Techno Bob <tbob@TECHIE.COM>
To: VULN-DEV@SECURITYFOCUS.COM
Date: Sat, 6 Jan 2001 17:23:35 -0500
Subject: Re: traceroute-4.4BSD (slack) heap overflow

------Original Message------

Yep, I know, that's exactly why I posted it here, because I found no proper
way to exploit it, even by modifying /etc/hosts :)
Btw, isn't there any environment variable that allows you to specify the
hosts file being used?

-------------------------------
Yep, try this:


$ export RESOLV_HOST_CONF= any file you want

And this can be done by user-level because this used to be a way to view
/etc/shadow.
Combine this with the exploit method I suggested earlier and you've got a
pretty plausable exploitation method.

Thanx
TBob
"Veni Vermini Vomui"


______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

Reply to:

Follow-Ups:
- Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
  - From: thomas lakofski <thomas@88.net>

Prev by Date: Re: Encrypted file transfer
Next by Date: IP spoofing protection
Previous by thread: Re: Encrypted file transfer
Next by thread: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Index(es):
- Date
- Thread