Re: su core dumped with signal 3. BSD/OS 3.0, 3.1

[Marco Ivaldi <raptor () 0xdeadbeef info>]

On Wed, 12 Mar 2003, Peter Pentchev wrote:

> On Tue, Mar 11, 2003 at 05:30:03PM -0000, Ivan Aleksandrov wrote:
> > rayd@mtelecom:~$ id
> > uid=127(rayd) gid=0(wheel) groups=0(wheel)
> > rayd@mtelecom:~$ su         <------------- (I send "control symbol")
> > Password:Quit (core dumped)
> > rayd@mtelecom:~$
> >
> > rayd@mtelecom:~$ uname -srm
> > BSD/OS 3.1 i386
> > rayd@mtelecom:~$ ls -la `whereis su`
> > -r-sr-xr-x  1 root  bin  2868 Jan 21  1997 /usr/bin/su*
> > rayd@mtelecom:~$ ls -la su.core
> > -rw-------  1 root  wheel  184320 Mar 11 22:17 su.core

[...]

> If the 'control symbol' was Ctrl-\, then this is expected behavior: this
> key combination is *supposed* to send a QUIT signal to the application,
> and the default action on SIGQUIT in all OS's is to terminate the
> process and create a core file.  However, the core file is created as
> the user the application is currently running as: if you cannot read
> root-owned files, you cannot access the information within the corefile,
> thus there is no information leak here (and if you *can* read root-owned
> files, then you already have access to much sensitive information that
> will help you go the rest of the way).
>
> As to exploiting, no, I don't think you can exploit this: the core here
> is a result of the kernel processing a signal sent to the process, not
> of some overflow or invalid memory access or similar.

Just wondering. What happens if you create a symlink to .rhosts and manage
to write a "+ +" in memory before coredump (i've not checked if it's
possible in this particular situation)? Or maybe symlinking /etc/passwd
and causing a DoS condition? This is just an example, but i'm not so sure
it's not possible to exploit this behaviour of a setuid program...

Please correct me if i'm plain wrong:)

:raptor
Antifork Research, Inc.                         0xdeadbeef | raptor's labs
http://www.antifork.org                         http://www.0xdeadbeef.info