[Snort-sigs] SID 714 contrib
gegomez at ...1889...
Mon Sep 22 06:58:36 EDT 2003
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET
The RESOLV_HOST_CONF variable is being manipulated on your Telnet host.
Elevated priviledges (file reads).
The RESOLV_HOST_CONF variable, used by suid and sgid applications, isn't
properly validated in some versions of glibc. As a result, an attacker
can use an suid or sgid root program to gain access to files they're not
supposed to have.
UNIX systems with unpatched glibc 2.1.x or 2.2.x implementations.
Attacker sets the RESOLVE_HOST_CONF variable to the filename of any
protected file (for example, /etc/shadow), and then runs an suid or sgid
root program. The contents of the protected file are then echoed to the
console in a series of error messages.
Ease of Attack:
Install the latest vendor-supplied glibc implementation.
Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs