Bug 23741 - glibc-2.2-8 vulnerable to remote root exploit
glibc-2.2-8 vulnerable to remote root exploit
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
7.1
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Aaron Brown
Florence Beta-3
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-01-10 16:14 EST by Wade Minter
Modified: 2016-11-24 10:27 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-11 16:16:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wade Minter 2001-01-10 16:14:02 EST
Tested on Beta1.  Details follow from bugtraq post:

From: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Glibc Local Root Exploit

Hi all,
  This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:

export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com

  Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.
Comment 1 Jakub Jelinek 2001-01-11 06:20:47 EST
It is not remote root exploit, I'm not sure it is even local root exploit
if md5 passwords are used, it just means you can read any file on the filesystem
you want (and some other bug means you can overwrite any file you want
with garbage you don't control).
The fixed rpms are ready, QA will be testing them today, hopefully they will
go out today.
Comment 2 Glen Foster 2001-01-11 16:16:15 EST
This defect is considered MUST-FIX for Florence Gold release
Comment 3 Jakub Jelinek 2001-01-11 17:40:28 EST
Fixed in glibc-2.2-12.

Note You need to log in before you can comment on or make changes to this bug.