Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:714 |
Message | TELNET resolv_host_conf |
Summary | The RESOLV_HOST_CONF variable is being manipulated on your Telnet host. |
Impact | Elevated priviledges (file reads). |
Detailed Information | The RESOLV_HOST_CONF variable, used by suid and sgid applications, isn't properly validated in some versions of glibc. As a result, an attacker can use an suid or sgid root program to gain access to files they're not supposed to have. |
Affected Systems | UNIX systems with unpatched glibc 2.1.x or 2.2.x implementations. |
Attack Scenarios | Attacker sets the RESOLVE_HOST_CONF variable to the filename of any protected file (for example, /etc/shadow), and then runs an suid or sgid root program. The contents of the protected file are then echoed to the console in a series of error messages. |
Ease of Attack | Simple. |
Corrective Action | Install the latest vendor-supplied glibc implementation. |
Additional References | Arachnids: http://www.whitehats.com/info/IDS369 Bugtraq: http://www.securityfocus.com/bid/2181 |
Rule References | arachnids: 369 bugtraq: 2181 cve: 2001-0170 |
--
DID:330940
--
http://www.aanval.com/