Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

BSD coredumps follow symlinks

From: dpapp () CHARRON CS UALBERTA CA (Denis Papp)
Date: Tue, 31 Mar 1998 17:55:40 +6500

I have a system running BSD/OS 2.1 with all the patches from BSDi, including
K210-029 which I quote:
"This patch addresses a security problem with core dumps from setuid programs."

I don't know what this patch really does but apparently this patch does
not fix the problem where coredumps follow symlinks.  If a user knows
how to core dump any setuid root program that user can then clobber any
file on the system (/root/.rhosts, /etc/passwd, /etc/hosts.equiv,
whatever).  Furthermore if that user knows how to clobber
a setuid root program that calls getpass* then the user can get
all the shadowed passwords.

This is easy to verify by creating a simple setuid root app that core
dumps and then making a symbolic link from app.core to /root/.rhosts.
If your system accepts '+ +' anywhere in the .rhosts file you can put that
in your env to get root access.

This concerns me a great deal - apparently 'su' and 'rlogin' are
core-dumpable (although I'm not certain how).  And I wouldn't
be surprised if a few other of the standard utilities that are setuid
root are also 'core-dumpable'.

What can I do about it?  Is there a way to turn off core dumps?  That
would be a reasonable temporary fix.

--
Denis Papp                              dpapp () cs ualberta ca
                                        http://ugweb.cs.ualberta.ca/~dpapp
Much so-called 'white marble' is really Dolemite.
Previous By Date Next
Previous By Thread Next

Current thread: