COMMAND
glibc
SYSTEMS AFFECTED
Linux
PROBLEM
Charles Stevenson posted following. This has been bouncing around
on vuln-dev and the debian-devel lists. It effects glibc >= 2.1.9x
and it would seem many if not all OSes using these versions of
glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars
that were supposed to be cleared when a program starts up
suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from
system to system but in devel version of Yellow Dog Linux they
were able to print the /etc/shadow file as a normal user in the
following manner:
export RESOLV_HOST_CONF=/etc/shadow
ssh whatever.host.com
Other programs have the same effect depending on the defaults for
the system. Charles has tested this on Red Hat 7.0, Yellow Dog
Linux 2.0 (prerelease), and Debian Woody. Others have reported
similar results on slackware and even "home brew[ed]" GNU/Linux.
Further tests showed other glibc versions to be vulnerable (glibc
2.2, 2.2.9, etc).
That exploit can use any suid root program which resolves host
names or more properly, an suid root program which resolves host
names _while still holding root privileges_. ping from netkit
and traceroute from LBNL do not fall into this category. fping
from SATAN, however, does.
SOLUTION
And a patch. Yeah, it's pretty obvious, but nobody's produced it
yet. Of course, it'll take you forever to *compile* the thing.
Index: sysdeps/generic/unsecvars.h
===================================================================
RCS file: /cvs/glibc/libc/sysdeps/generic/unsecvars.h,v
retrieving revision 1.1
retrieving revision 1.3
diff -u -d -b -r1.1 -r1.3
--- unsecvars.h 2000/09/26 09:31:25 1.1
+++ unsecvars.h 2001/01/08 17:54:58 1.3
@@ -1,11 +1,12 @@
/* Environment variable to be removed for SUID programs. */
#define UNSECURE_ENVVARS \
"GCONV_PATH", \
+ "HOSTALIASES", \
"LOCALDOMAIN", \
"LOCPATH", \
"MALLOC_TRACE", \
"NLSPATH", \
- "RESOLV_HOST_CONF" \
+ "RESOLV_HOST_CONF", \
"RES_OPTIONS", \
"TMPDIR", \
"TZDIR"
Index: resolv/res_query.c
===================================================================
RCS file: /cvs/glibc/libc/resolv/res_query.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -d -b -r1.15 -r1.16
--- res_query.c 2000/07/19 21:59:47 1.15
+++ res_query.c 2001/01/08 17:55:24 1.16
@@ -371,7 +371,7 @@
if (statp->options & RES_NOALIASES)
return (NULL);
- file = __secure_getenv("HOSTALIASES");
+ file = getenv("HOSTALIASES");
if (file == NULL || (fp = fopen(file, "r")) == NULL)
return (NULL);
setbuf(fp, NULL);
The latest *released* Debian (2.2, aka potato) is not vulnerable
to this problem, since it uses glibc 2.1.3.
For RedHat:
ftp://updates.redhat.com/7.0/SRPMS/glibc-2.2-12.src.rpm
ftp://updates.redhat.com/7.0/alpha/glibc-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/glibc-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/glibc-common-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/glibc-devel-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/glibc-profile-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/nscd-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alphaev6/glibc-2.2-12.alphaev6.rpm
ftp://updates.redhat.com/7.0/i386/glibc-2.2-12.i386.rpm
ftp://updates.redhat.com/7.0/i386/glibc-common-2.2-12.i386.rpm
ftp://updates.redhat.com/7.0/i386/glibc-devel-2.2-12.i386.rpm
ftp://updates.redhat.com/7.0/i386/glibc-profile-2.2-12.i386.rpm
ftp://updates.redhat.com/7.0/i386/nscd-2.2-12.i386.rpm
ftp://updates.redhat.com/7.0/i686/glibc-2.2-12.i686.rpm
For Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/a1/glibcso.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/d1/glibc.tgz
For Immunix OS:
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/glibc-2.2-12_imnx_7.i386.rpm
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/glibc-common-2.2-12_imnx_7.i386.rpm
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/glibc-devel-2.2-12_imnx_7.i386.rpm
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/glibc-profile-2.2-12_imnx_7.i386.rpm
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/nscd-2.2-12_imnx_7.i386.rpm
http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/glibc-2.2-12_imnx_7.src.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/glibc-2.1.3-22_StackGuard_1.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/glibc-devel-2.1.3-22_StackGuard_1.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/glibc-profile-2.1.3-22_StackGuard_1.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/nscd-2.1.3-22_StackGuard_1.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/SRPMS/glibc-2.1.3-22_StackGuard_1.src.rpm
For Linux-Mandrake:
Linux-Mandrake 6.0: 6.0/RPMS/glibc-2.1.3-18.2mdk.i586.rpm
6.0/RPMS/glibc-devel-2.1.3-18.2mdk.i586.rpm
6.0/RPMS/glibc-profile-2.1.3-18.2mdk.i586.rpm
6.0/SRPMS/glibc-2.1.3-18.2mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/glibc-2.1.3-18.2mdk.i586.rpm
6.1/RPMS/glibc-devel-2.1.3-18.2mdk.i586.rpm
6.1/RPMS/glibc-profile-2.1.3-18.2mdk.i586.rpm
6.1/SRPMS/glibc-2.1.3-18.2mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/glibc-2.1.3-18.2mdk.i586.rpm
7.0/RPMS/glibc-devel-2.1.3-18.2mdk.i586.rpm
7.0/RPMS/glibc-profile-2.1.3-18.2mdk.i586.rpm
7.0/SRPMS/glibc-2.1.3-18.2mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/glibc-2.1.3-18.1mdk.i586.rpm
7.1/RPMS/glibc-devel-2.1.3-18.1mdk.i586.rpm
7.1/RPMS/glibc-profile-2.1.3-18.1mdk.i586.rpm
7.1/SRPMS/glibc-2.1.3-18.1mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/glibc-2.1.3-18.3mdk.i586.rpm
7.2/RPMS/glibc-devel-2.1.3-18.3mdk.i586.rpm
7.2/RPMS/glibc-profile-2.1.3-18.3mdk.i586.rpm
7.2/SRPMS/glibc-2.1.3-18.3mdk.src.rpm
Corporate Server 1.0.1: 1.0.1/RPMS/glibc-2.1.3-18.1mdk.i586.rpm
1.0.1/RPMS/glibc-devel-2.1.3-18.1mdk.i586.rpm
1.0.1/RPMS/glibc-profile-2.1.3-18.1mdk.i586.rpm
1.0.1/SRPMS/glibc-2.1.3-18.1mdk.src.rpm
Trustix is, like many other linux distributions, based on Glibc
2.1.3 and is therefore open to the "preload hole" discussed in
various postings to bugtraq and other lists. This is a local
security hole, and all users of TSL should upgrade their boxes:
1.2: glibc-2.1.3-14tr.i586.rpm
glibc-devel-2.1.3-14tr.i586.rpm
glibc-profile-2.1.3-14tr.i586.rpm
nscd-2.1.3-14tr.i586.rpm
1.1: glibc-2.1.3-14tr.i586.rpm
glibc-devel-2.1.3-14tr.i586.rpm
glibc-profile-2.1.3-14tr.i586.rpm
nscd-2.1.3-14tr.i586.rpm
1.0: Use the 1.1 packages.
For Caldera Linux:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/glibc-2.1.3-6OL.i386.rpm
RPMS/glibc-devel-2.1.3-6OL.i386.rpm
RPMS/glibc-devel-static-2.1.3-6OL.i386.rpm
RPMS/glibc-localedata-2.1.3-6OL.i386.rpm
SRPMS/glibc-2.1.3-6OL.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/glibc-2.1.3-6S.i386.rpm
RPMS/glibc-devel-2.1.3-6S.i386.rpm
RPMS/glibc-devel-static-2.1.3-6S.i386.rpm
RPMS/glibc-localedata-2.1.3-6S.i386.rpm
SRPMS/glibc-2.1.3-6S.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/glibc-2.1.3-6.i386.rpm
RPMS/glibc-devel-2.1.3-6.i386.rpm
RPMS/glibc-devel-static-2.1.3-6.i386.rpm
RPMS/glibc-localedata-2.1.3-6.i386.rpm
SRPMS/glibc-2.1.3-6.src.rpm
Packages can be downloaded from:
ftp://ftp.trustix.net/pub/Trustix/updates/
http://www.trustix.net/pub/Trustix/updates/