[6431] in bugtraq
BSD coredumps follow symlinks
daemon@ATHENA.MIT.EDU (Denis Papp)
Thu Apr 2 02:48:20 1998
Date: Tue, 31 Mar 1998 17:55:40 +6500
Reply-To: Denis Papp <dpapp@CHARRON.CS.UALBERTA.CA>
From: Denis Papp <dpapp@CHARRON.CS.UALBERTA.CA>
To: BUGTRAQ@NETSPACE.ORG
I have a system running BSD/OS 2.1 with all the patches from BSDi, including
K210-029 which I quote:
"This patch addresses a security problem with core dumps from setuid programs."
I don't know what this patch really does but apparently this patch does
not fix the problem where coredumps follow symlinks. If a user knows
how to core dump any setuid root program that user can then clobber any
file on the system (/root/.rhosts, /etc/passwd, /etc/hosts.equiv,
whatever). Furthermore if that user knows how to clobber
a setuid root program that calls getpass* then the user can get
all the shadowed passwords.
This is easy to verify by creating a simple setuid root app that core
dumps and then making a symbolic link from app.core to /root/.rhosts.
If your system accepts '+ +' anywhere in the .rhosts file you can put that
in your env to get root access.
This concerns me a great deal - apparently 'su' and 'rlogin' are
core-dumpable (although I'm not certain how). And I wouldn't
be surprised if a few other of the standard utilities that are setuid
root are also 'core-dumpable'.
What can I do about it? Is there a way to turn off core dumps? That
would be a reasonable temporary fix.
--
Denis Papp dpapp@cs.ualberta.ca
http://ugweb.cs.ualberta.ca/~dpapp
Much so-called 'white marble' is really Dolemite.
