Re: Solaris 2.3 login

[mengel () dcdmwm fnal gov (Marc W. Mengel)]

In <199408121258.HAA04845 () freeside fc net>  you write:
 
    Can someone please explain what the security implications are if a
    program results in a coredump? I have discovered several programs here on
    my machines that can result in these.  How could an intruder use these to
    gain access?  What are the best ways of combatting this?

This first of all isn't much of an issue if the program is not running
as a priveledged user.  Of course if you can trick a priveledged user
into running it, then...

Overall though, it depends on why it's dropping core: if you can give it
extra long input strings, etc. that cause it to drop core, then
you can probably give it suitably formatted extra long input strings
that cause it to execute a particular piece of code (i.e. exec a shell).
This is the old fingerd-crack approach where you send a long string,
overflow a buffer onto the stack, which makes the return address from
strcpy or some such now return to the buffer, and execute it.  This 
requires some knowledge of the program being executed, but can be figured 
out most easily from the core file it generates from a known long string...

Other tricks involve making symlinks named core and causing various files
to be scribbled on -- this generally gives denial of service attacks, but
if for example your environment shows up early in the core file, you can 
stuff things in your environment that look a lot like password file entries,
etc.

I'm sure folks on the list here can come up with a few more specific 
examples, but that's the general gist of it.

marc