Vulnerability Development mailing list archives
Re: su core dumped with signal 3. BSD/OS 3.0, 3.1
From: Peter Pentchev <roam () ringlet net>
Date: Wed, 12 Mar 2003 09:19:00 +0200
On Tue, Mar 11, 2003 at 05:30:03PM -0000, Ivan Aleksandrov wrote:
rayd@mtelecom:~$ id uid=127(rayd) gid=0(wheel) groups=0(wheel) rayd@mtelecom:~$ su <------------- (I send "control symbol") Password:Quit (core dumped) rayd@mtelecom:~$ rayd@mtelecom:~$ uname -srm BSD/OS 3.1 i386 rayd@mtelecom:~$ ls -la `whereis su` -r-sr-xr-x 1 root bin 2868 Jan 21 1997 /usr/bin/su* rayd@mtelecom:~$ ls -la su.core -rw------- 1 root wheel 184320 Mar 11 22:17 su.core root@mtelecom:/usr/home/rayd# gdb --core=su.core GDB 4.16 (i386-unknown-bsdi3.0), Copyright 1996 Free Software Foundation, Inc. Core was generated by `su'. Program terminated with signal 3, Quit. #0 0xa004cbde in ?? () It is a serious bug? Possible to write exploit? or with signal 3 it's impossible? WTF?
If the 'control symbol' was Ctrl-\, then this is expected behavior: this key combination is *supposed* to send a QUIT signal to the application, and the default action on SIGQUIT in all OS's is to terminate the process and create a core file. However, the core file is created as the user the application is currently running as: if you cannot read root-owned files, you cannot access the information within the corefile, thus there is no information leak here (and if you *can* read root-owned files, then you already have access to much sensitive information that will help you go the rest of the way). As to exploiting, no, I don't think you can exploit this: the core here is a result of the kernel processing a signal sent to the process, not of some overflow or invalid memory access or similar. It might be argued that su(1) and similar programs should catch a couple of signals and not leave core files lying around, but this is a different topic IMHO. In short, no, you can neither exploit this nor gain information from it. G'luck, Peter -- Peter Pentchev roam () ringlet net roam () sbnd net roam () FreeBSD org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence.
Attachment:
_bin
Description:
Current thread:
- su core dumped with signal 3. BSD/OS 3.0, 3.1 Ivan Aleksandrov (Mar 11)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Peter Pentchev (Mar 12)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Marco Ivaldi (Mar 13)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Joel Eriksson (Mar 13)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Marco Ivaldi (Mar 13)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Peter Pentchev (Mar 12)