Bugtraq mailing list archives
BSD coredumps follow symlinks
From: dpapp () CHARRON CS UALBERTA CA (Denis Papp)
Date: Tue, 31 Mar 1998 17:55:40 +6500
I have a system running BSD/OS 2.1 with all the patches from BSDi, including K210-029 which I quote: "This patch addresses a security problem with core dumps from setuid programs." I don't know what this patch really does but apparently this patch does not fix the problem where coredumps follow symlinks. If a user knows how to core dump any setuid root program that user can then clobber any file on the system (/root/.rhosts, /etc/passwd, /etc/hosts.equiv, whatever). Furthermore if that user knows how to clobber a setuid root program that calls getpass* then the user can get all the shadowed passwords. This is easy to verify by creating a simple setuid root app that core dumps and then making a symbolic link from app.core to /root/.rhosts. If your system accepts '+ +' anywhere in the .rhosts file you can put that in your env to get root access. This concerns me a great deal - apparently 'su' and 'rlogin' are core-dumpable (although I'm not certain how). And I wouldn't be surprised if a few other of the standard utilities that are setuid root are also 'core-dumpable'. What can I do about it? Is there a way to turn off core dumps? That would be a reasonable temporary fix. -- Denis Papp dpapp () cs ualberta ca http://ugweb.cs.ualberta.ca/~dpapp Much so-called 'white marble' is really Dolemite.
Current thread:
- BSD coredumps follow symlinks Denis Papp (Mar 28)
- nmap -U <host> undetectable by netranger v2.0 Codex (Apr 01)
- portmap 4.0-8 DoS Michal Zalewski (Apr 01)
- Re: portmap 4.0-8 DoS Peter van Dijk (Apr 07)
- BSDI inetd crash Mark Schaefer (Apr 07)
- Re: BSDI inetd crash FrontLine Assembly (Apr 08)
- SGI O2 ipx security issue Fabrice Planchon (Apr 08)
- BIND vulnerability test program.. Joshua J. Drake (Apr 09)
- (Q) Sun Rpcbind problem. Chiaki Ishikawa (Apr 10)
- Re: (Q) Sun Rpcbind problem. Casper Dik (Apr 10)
- Wietse's RPCBIND Wietse Venema (Apr 10)