This is the mail archive of the
libc-hacker@cygnus.com
mailing list for the glibc project.
Re: Fwd: libc6 vulnerability
- To: Joel Klecker <jk@espy.org>
- Subject: Re: Fwd: libc6 vulnerability
- From: Andreas Jaeger <aj@arthur.rhein-neckar.de>
- Date: 08 Feb 1999 09:04:55 +0100
- Cc: libc-hacker@cygnus.com
- Mail-Copies-To: never
- References: <v04104403b2e42ed63a52@[206.163.71.146]>
>>>>> Joel Klecker writes:
> This was posted to one of the Debian lists, I tested it with glibc
> 2.1 on my i386 system, and it is also vulnerable.
> --- begin forwarded text
> Folks:
> When checking the security of my system, I found that it is vulnerable
> to the following standard attack (in tcsh syntax):
> env RESOLV_HOST_CONF=/etc/shadow /usr/sbin/traceroute foobar
> or env RESOLV_HOST_CONF=/etc/shadow fping foobar
> This allows the user to read any (text) file on the system. My system
> has:
> netstd 3.07-7.1
> libc6 2.0.105-1.2
> In other words, it is up to date according to ftp.debian.org.
> Curiously, my older 486 system at home is not vulnerable to these attacks.
Should we add calls to euidaccess like in the following (not really
tested) patch?
Andreas
1999-02-08 Andreas Jaeger <aj@arthur.rhein-neckar.de>
* resolv/res_hconf.c (_res_hconf_init): Check that file is
accessible by normal user.
--- resolv/res_hconf.c.~1~ Sat Nov 21 08:53:49 1998
+++ resolv/res_hconf.c Mon Feb 8 08:58:45 1999
@@ -1,4 +1,4 @@
-/* Copyright (C) 1993, 1995, 1996, 1997, 1998 Free Software Foundation, Inc.
+/* Copyright (C) 1993, 1995, 1996, 1997, 1998, 1999 Free Software Foundation, Inc.
Contributed by David Mosberger (davidm@azstarnet.com).
The GNU C Library is free software; you can redistribute it and/or
@@ -32,13 +32,14 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
#include <net/if.h>
#include "res_hconf.h"
#define _PATH_HOSTCONF "/etc/host.conf"
-/* Environment vars that all user to override default behavior: */
+/* Environment vars that allow user to override default behavior: */
#define ENV_HOSTCONF "RESOLV_HOST_CONF"
#define ENV_SERVORDER "RESOLV_SERV_ORDER"
#define ENV_SPOOF "RESOLV_SPOOF_CHECK"
@@ -311,6 +312,7 @@
_res_hconf_init (void)
{
const char *hconf_name;
+ char *filename;
int line_num = 0;
char buf[256], *end, *envval;
FILE *fp;
@@ -320,8 +322,10 @@
memset (&_res_hconf, '\0', sizeof (_res_hconf));
- hconf_name = getenv (ENV_HOSTCONF);
- if (hconf_name == NULL)
+ filename = getenv (ENV_HOSTCONF);
+ if (filename != NULL && euidaccess (filename, R_OK) >= 0)
+ hconf_name = filename;
+ else
hconf_name = _PATH_HOSTCONF;
fp = fopen (hconf_name, "r");
--
Andreas Jaeger aj@arthur.rhein-neckar.de jaeger@informatik.uni-kl.de
for pgp-key finger ajaeger@aixd1.rhrk.uni-kl.de