On Wed, 10 Jan 2001, Charles Stevenson wrote:
> Hi all,
> This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
> the actual fix was a missing comma in the list of secure env vars that were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com
Exploit discovered discussed and fixed circa August 1996.
Original Announcement:
http://www.securityfocus.com/templates/archive.pike?list=1&mid=5222
Discussion thread:
http://www.securityfocus.com/templates/archive.pike?end=2001-01-13&start=2001-01-07&tid=5239&threads=0&list=1&;
--
Joe Technical Support
General Support: [EMAIL PROTECTED] Blarg! Online Services, Inc.
Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
