This is the mail archive of the libc-hacker@cygnus.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

Re: Fwd: libc6 vulnerability

To: Joel Klecker <jk@espy.org>
Subject: Re: Fwd: libc6 vulnerability
From: Andreas Jaeger <aj@arthur.rhein-neckar.de>
Date: 08 Feb 1999 09:04:55 +0100
Cc: libc-hacker@cygnus.com
Mail-Copies-To: never
References: <v04104403b2e42ed63a52@[206.163.71.146]>

>>>>> Joel Klecker writes:

 > This was posted to one of the Debian lists, I tested it with glibc 
 > 2.1 on my i386 system, and it is also vulnerable.

 > --- begin forwarded text
 > Folks:

 > When checking the security of my system, I found that it is vulnerable
 > to the following standard attack (in tcsh syntax):

 > 	env RESOLV_HOST_CONF=/etc/shadow /usr/sbin/traceroute foobar
 >   or	env RESOLV_HOST_CONF=/etc/shadow fping foobar

 > This allows the user to read any (text) file on the system.  My system
 > has:

 > 	netstd	3.07-7.1
 > 	libc6	2.0.105-1.2

 > In other words, it is up to date according to ftp.debian.org.

 > Curiously, my older 486 system at home is not vulnerable to these attacks.

Should we add calls to euidaccess like in the following (not really
tested) patch?

Andreas

1999-02-08  Andreas Jaeger  <aj@arthur.rhein-neckar.de>

	* resolv/res_hconf.c (_res_hconf_init): Check that file is
	accessible by normal user.

--- resolv/res_hconf.c.~1~	Sat Nov 21 08:53:49 1998
+++ resolv/res_hconf.c	Mon Feb  8 08:58:45 1999
@@ -1,4 +1,4 @@
-/* Copyright (C) 1993, 1995, 1996, 1997, 1998 Free Software Foundation, Inc.
+/* Copyright (C) 1993, 1995, 1996, 1997, 1998, 1999 Free Software Foundation, Inc.
    Contributed by David Mosberger (davidm@azstarnet.com).
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -32,13 +32,14 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 #include <net/if.h>
 
 #include "res_hconf.h"
 
 #define _PATH_HOSTCONF	"/etc/host.conf"
 
-/* Environment vars that all user to override default behavior:  */
+/* Environment vars that allow user to override default behavior:  */
 #define ENV_HOSTCONF	"RESOLV_HOST_CONF"
 #define ENV_SERVORDER	"RESOLV_SERV_ORDER"
 #define ENV_SPOOF	"RESOLV_SPOOF_CHECK"
@@ -311,6 +312,7 @@
 _res_hconf_init (void)
 {
   const char *hconf_name;
+  char *filename;
   int line_num = 0;
   char buf[256], *end, *envval;
   FILE *fp;
@@ -320,8 +322,10 @@
 
   memset (&_res_hconf, '\0', sizeof (_res_hconf));
 
-  hconf_name = getenv (ENV_HOSTCONF);
-  if (hconf_name == NULL)
+  filename = getenv (ENV_HOSTCONF);
+  if (filename != NULL && euidaccess (filename, R_OK) >= 0)
+    hconf_name = filename;
+  else
     hconf_name = _PATH_HOSTCONF;
 
   fp = fopen (hconf_name, "r");

-- 
 Andreas Jaeger   aj@arthur.rhein-neckar.de    jaeger@informatik.uni-kl.de
  for pgp-key finger ajaeger@aixd1.rhrk.uni-kl.de

Follow-Ups:
- Re: Fwd: libc6 vulnerability
  - From: Geoff Keating <geoffk@ozemail.com.au>

References:
- Fwd: libc6 vulnerability
  - From: Joel Klecker <jk@espy.org>

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]