Rule:  

--
Sid:
714

--
Summary:
The RESOLV_HOST_CONF variable is being manipulated on your Telnet host.

--
Impact:
Elevated priviledges (file reads).

--
Detailed Information:
The RESOLV_HOST_CONF variable, used by suid and sgid applications, isn't properly validated in some versions of glibc.  As a result, an attacker can use an suid or sgid root program to gain access to files they're not supposed to have.

--
Affected Systems:
UNIX systems with unpatched glibc 2.1.x or 2.2.x implementations.

--
Attack Scenarios:
Attacker sets the RESOLVE_HOST_CONF variable to the filename of any protected file (for example, /etc/shadow), and then runs an suid or sgid root program.  The contents of the protected file are then echoed to the console in a series of error messages.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Install the latest vendor-supplied glibc implementation.

--
Contributors:
Original Rule Writer Unknown
Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com)

-- 
Additional References:

--
