[5619] in bugtraq
Re: digital unix 4.0 hole
daemon@ATHENA.MIT.EDU (Johan Danielsson)
Sat Nov 15 15:15:01 1997
Date: Sat, 15 Nov 1997 03:11:35 +0100
Reply-To: Johan Danielsson <joda@PDC.KTH.SE>
From: Johan Danielsson <joda@PDC.KTH.SE>
X-To: John McDonald <jmcdonal@OSPREY.UNF.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: John McDonald's message of Fri, 14 Nov 1997 12:37:20 -0500
John McDonald <jmcdonal@OSPREY.UNF.EDU> writes:
> If you run dbx (tested on 3.11.10) on a setuid root program that you
> have read access to, the program will core dump and create a root
> owned 600 perm core in the current directory.
The problem isn't procfs per se, but rather that it causes the program
to dump core.
What happens in that in core(), vn_open() is called just before it's
supposed to `temporarily restore real user/group ids for file
operations'. For anyone with source, the fun happens around line 4350
in kernel/bsd/kern_sig.c.
If you're *real* paranoid about this, you might be able to:
# cp /vmunix /vmunix.save
# dbx /vmunix
dbx version 3.11.10
Type 'help' for help.
main: Source not available
warning: Files compiled -g3: parameter values probably wrong
(dbx) ((unsigned*)core+82)/1 i
[core:5261, 0xfffffc000026ff48] and r1, r2, r1
(dbx) patch *((unsigned*)core+82) = 0x203f0001
[core:5261, 0xfffffc000026ff48] lda r1, 1(r31)
(dbx) q
# reboot
This might work with 4.0[ABC]; I haven't tried it though. :-) It
should completely disable all core dumps.
/Johan
