Bugtraq mailing list archives
BSD coredumps follow symlinks
From: ronny () TMX COM AU (Ronny Cook)
Date: Thu, 2 Apr 1998 18:02:00 +1000
Date: Tue, 31 Mar 1998 17:55:40 +6500 From: Denis Papp <dpapp () CHARRON CS UALBERTA CA> I have a system running BSD/OS 2.1 with all the patches from BSDi, including K210-029 which I quote: "This patch addresses a security problem with core dumps from setuid programs." I don't know what this patch really does but apparently this patch does not fix the problem where coredumps follow symlinks. If a user knows how to core dump any setuid root program that user can then clobber any file on the system (/root/.rhosts, /etc/passwd, /etc/hosts.equiv, whatever). Furthermore if that user knows how to clobber a setuid root program that calls getpass* then the user can get all the shadowed passwords.
Not quite all (depending on the size of your password file), but certainly some. [...]
What can I do about it? Is there a way to turn off core dumps? That would be a reasonable temporary fix.
There is a later patch for BSD/OS 3.0 (M300-023) which is described as: Fixes a potential denial of service attack related to the kernel following symbolic links when writing core files. which I expect fixes the problem once and for all. The initial release of 3.0 attempted to fix the problem differently and failed. :-) The M300-023 patch, as nearly as I can tell, doesn't disable SUID core dumps altogether but does prevent them from following symlinks. Unfortunately, upgrading to 3.0 requires you to pay BSDI. :-( However, if you have access to sources, you can always download that patch yourself, unpack it and apply the source patches included. If you don't have access to sources, I've back-ported the patch (in a rough & ready fashion) and can supply the modified object file (kern_sig.o) to BSDI licensees. Licence conditions preclude my making it available for public download without explicit permission from BSDI. :-( ...Ronny -- Ronald Cook, Technical Manager - Message Handling Systems/The Message eXchange Email: ronny () tmx com au ----- Phone: +61-2-9550-4448 ---- Fax: +61-2-9519-2551 All opinions are my own and not those of TMX unless explicitly stated otherwise.
Current thread:
- AppleShare IP Mail Server, (continued)
- AppleShare IP Mail Server Chris Wedgwood (Apr 07)
- Re: AppleShare IP Mail Server David Luyer (Apr 07)
- Re: AppleShare IP Mail Server James W. Abendschan (Apr 07)
- AppleShare IP Mail Server Chris Wedgwood (Apr 07)
- Geac ADVANCE library system security HOLE GAVRILIS DIMITR (Apr 02)
- Re: Geac ADVANCE library system security HOLE Damian Kelly (Apr 03)
- Announce : Nessus Alpha 1 Renaud Deraison (Apr 04)
- mailrc and pine security holes Michal Zalewski (Apr 05)
- ICQ Spoofer Seth McGann (Apr 05)
- Re: BSD coredumps follow symlinks Nir Soffer (Apr 02)
- Security hole in TMS/SMS standby (Apr 03)
- BSD coredumps follow symlinks Ronny Cook (Apr 02)
- Re: BSD coredumps follow symlinks Ronny Cook (Apr 05)
- QuakeI server serious hole (yawn) Chris Evans (Apr 06)
- The ICQ exploitation Center - www.wpi.edu/~smm/icq Seth McGann (Apr 06)
- Re: BSD coredumps follow symlinks Ariel Biener (Apr 06)