Bugtraq mailing list archives
Solaris2.5.1 dtlogin core
From: akjoele () SIUE EDU (Arve Kjoelen)
Date: Thu, 24 Jul 1997 16:40:54 -0500
We're running Solaris 2.5.1 CDE remotely from some FreeBSD boxes. The other day, I noticed a mod 644 core file in the root directory of the Solaris machine. adb said it was dtlogin which had died of SIGSEGV. Doing a 'strings' on the file revealed not only the encrypted password of a remote dt user, but also the UNENCRYPTED password. Adding umask 077 to the beginning of /etc/init.d/dtlogin does nothing. to prevent this. Also, dtlogin is not affected by the modifications discussed here earlier to set the default umask for all daemons (create /etc/rc?.d/S00rootusr.sh containing 'umask 077'). It looks as if dtlogin explicitly sets its umask to 027. ('nm' on /usr/dt/bin/dtlogin does find a reference to umask). Temporary fix: create an empty /core file mod 400. All subsequent cores will be created with these permissions. In general, I think all programs that process passwords should overwrite the unencrypted password immediately after calling crypt(). There is no reason to keep the unencrypted password around in memory. Secondly, but not as critically, it would be nice if the encrypted/hashed passwords could also be overwritten after they're no longer needed.
uname -av
SunOS cerberus 5.5.1 Generic_103640-08 sun4u sparc SUNW,Ultra-1 -Arve Kjoelen Sys Admin, EE Dept. Southern Illinois University - Edwardsville.
Current thread:
- Re: request-route, (continued)
- Re: request-route Eric Bennett (Jul 29)
- Re: request-route John Macdonald (Jul 29)
- Re: request-route Kragen Sitaker (Jul 30)
- Re: request-route John Macdonald (Jul 31)
- perl fingerd stupidity Chris Terry (Jul 31)
- HP Security Bulletins Digest Aleph One (Jul 31)
- Re: request-route Mihai SANDU (Jul 26)
- Netspace Singapore Privacy Bug Aleph One (Jul 26)
- Re: your mail Alan Cox (Jul 27)
- Re: Solaris2.5.1 dtlogin core Andrew Hobgood (Jul 24)