https://www.exploit-db.com/exploits/19503
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200011-011

如果环境变量两次提供给一个程序，那么glibc2.1.1版本的unsetenv函数不正确的移动该环境变量，本地用户通过指明它们自己的副本环境变量如LD_PRELOAD或者LD_LIBRARY_PATH从而执行setuid程序中的任意命令。

source: http://www.securityfocus.com/bid/650/info

Lack of user input validation in ProFTPD can lead to a remote root vulnerability.

On systems that support it ProFTPD will attempt to modify the name of the program being executed (argv[0]) to display the command being executed by the logged on user. It does this by using snprintf to copy the input of the user into a buffer.

The call to snprintf is in the 'set_proc_title' function in the main.c source file. It is only compiled in if the define PF_ARGV_TYPE equals the PF_ARGV_WRITABLE define.

ProFTPD passes the user input to snprintf as the format argument string of the function call. This allows remote users to supply possible dangerous format arguments to snprintf. 

Tymm Twillman gives the following example:

- ftp to host
- login (anonymous or no)

(this should be all on one line, no spaces)

ftp> ls aaaXXXX%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%653300u%n

(replace the X's with the characters with ascii values 0xdc,0x4f,0x07,0x08
consecutively)


Since proftpd will pass on user input data to snprintf, argument attacks are easy. The a's at the beginning are just for alignment, the %u's to skip bytes in the stack, the %653300u is to increment the # of bytes that have been "output", and the %n stores that value (whose LSBs have now flipped over to 0) to the location pointed to by the current "argument" -- which just happens to point right after the a's in this string. The bytes that replace the X's are the address where proftpd keeps the current user ID...

Logging in as an anonymous user, you are still restricted as to some of the things you can do. But with a local login, root compromise at this point is trivial. And it is possible to modify this exploit for other systems, and for remote attacks.

来源:BID
名称:648
链接:http://www.securityfocus.com/bid/648
来源:BUGTRAQ
名称:20000831glibcunsetenvbug
链接:http://www.securityfocus.com/archive/1/79537
来源:XF
名称:glibc-ld-unsetenv
链接:http://xforce.iss.net/static/5173.php
来源:TURBO
名称:TLSA2000020-1
链接:http://www.turbolinux.com/pipermail/tl-security-announce/2000-September/000020.html
来源:BID
名称:648
链接:http://www.securityfocus.com/bid/648
来源:BID
名称:1639
链接:http://www.securityfocus.com/bid/1639
来源:REDHAT
名称:RHSA-2000:057
链接:http://www.redhat.com/support/errata/RHSA-2000-057.html
来源:SUSE
名称:20000924glibclocalesecurityproblem
链接:http://www.novell.com/linux/security/advisories/adv5_draht_glibc_txt.html
来源:MANDRAKE
名称:MDKSA-2000:045
链接:http://www.linux-mandrake.com/en/updates/MDKSA-2000-045.php3
来源:MANDRAKE
名称:MDKSA-2000:040
链接:http://www.linux-mandrake.com/en/updates/MDKSA-2000-040.php3
来源:DEBIAN
名称:20000902glibc:localrootexploit
链接:http://www.debian.org/security/2000/20000902
来源:CALDERA
名称:CSSA-2000-028.0
链接:http://www.calderasystems.com/support/securit