Vulnerability Development mailing list archives
Re: su core dumped with signal 3. BSD/OS 3.0, 3.1
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Wed, 12 Mar 2003 21:26:22 +0100 (CET)
On Wed, 12 Mar 2003, Peter Pentchev wrote:
On Tue, Mar 11, 2003 at 05:30:03PM -0000, Ivan Aleksandrov wrote:rayd@mtelecom:~$ id uid=127(rayd) gid=0(wheel) groups=0(wheel) rayd@mtelecom:~$ su <------------- (I send "control symbol") Password:Quit (core dumped) rayd@mtelecom:~$ rayd@mtelecom:~$ uname -srm BSD/OS 3.1 i386 rayd@mtelecom:~$ ls -la `whereis su` -r-sr-xr-x 1 root bin 2868 Jan 21 1997 /usr/bin/su* rayd@mtelecom:~$ ls -la su.core -rw------- 1 root wheel 184320 Mar 11 22:17 su.core
[...]
If the 'control symbol' was Ctrl-\, then this is expected behavior: this key combination is *supposed* to send a QUIT signal to the application, and the default action on SIGQUIT in all OS's is to terminate the process and create a core file. However, the core file is created as the user the application is currently running as: if you cannot read root-owned files, you cannot access the information within the corefile, thus there is no information leak here (and if you *can* read root-owned files, then you already have access to much sensitive information that will help you go the rest of the way). As to exploiting, no, I don't think you can exploit this: the core here is a result of the kernel processing a signal sent to the process, not of some overflow or invalid memory access or similar.
Just wondering. What happens if you create a symlink to .rhosts and manage to write a "+ +" in memory before coredump (i've not checked if it's possible in this particular situation)? Or maybe symlinking /etc/passwd and causing a DoS condition? This is just an example, but i'm not so sure it's not possible to exploit this behaviour of a setuid program... Please correct me if i'm plain wrong:) :raptor Antifork Research, Inc. 0xdeadbeef | raptor's labs http://www.antifork.org http://www.0xdeadbeef.info
Current thread:
- su core dumped with signal 3. BSD/OS 3.0, 3.1 Ivan Aleksandrov (Mar 11)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Peter Pentchev (Mar 12)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Marco Ivaldi (Mar 13)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Joel Eriksson (Mar 13)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Marco Ivaldi (Mar 13)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Peter Pentchev (Mar 12)