Bug 23741 - glibc-2.2-8 vulnerable to remote root exploit
Summary: glibc-2.2-8 vulnerable to remote root exploit
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Aaron Brown
Whiteboard: Florence Beta-3
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-01-10 21:14 UTC by Wade Minter
Modified: 2016-11-24 15:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-01-11 21:16:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Wade Minter 2001-01-10 21:14:02 UTC
Tested on Beta1.  Details follow from bugtraq post:

From: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
Subject: Glibc Local Root Exploit

Hi all,
  This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

  Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.

Comment 1 Jakub Jelinek 2001-01-11 11:20:47 UTC
It is not remote root exploit, I'm not sure it is even local root exploit
if md5 passwords are used, it just means you can read any file on the filesystem
you want (and some other bug means you can overwrite any file you want
with garbage you don't control).
The fixed rpms are ready, QA will be testing them today, hopefully they will
go out today.

Comment 2 Glen Foster 2001-01-11 21:16:15 UTC
This defect is considered MUST-FIX for Florence Gold release

Comment 3 Jakub Jelinek 2001-01-11 22:40:28 UTC
Fixed in glibc-2.2-12.

Note You need to log in before you can comment on or make changes to this bug.