Home page logo
/

bugtraq logo Bugtraq mailing list archives

BSD coredumps follow symlinks
From: ronny () TMX COM AU (Ronny Cook)
Date: Thu, 2 Apr 1998 18:02:00 +1000


Date:         Tue, 31 Mar 1998 17:55:40 +6500
From: Denis Papp <dpapp () CHARRON CS UALBERTA CA>

I have a system running BSD/OS 2.1 with all the patches from BSDi, including
K210-029 which I quote:
"This patch addresses a security problem with core dumps from setuid programs."

I don't know what this patch really does but apparently this patch does
not fix the problem where coredumps follow symlinks.  If a user knows
how to core dump any setuid root program that user can then clobber any
file on the system (/root/.rhosts, /etc/passwd, /etc/hosts.equiv,
whatever).  Furthermore if that user knows how to clobber
a setuid root program that calls getpass* then the user can get
all the shadowed passwords.

Not quite all (depending on the size of your password file), but
certainly some.
[...]
What can I do about it?  Is there a way to turn off core dumps?  That
would be a reasonable temporary fix.

There is a later patch for BSD/OS 3.0 (M300-023) which is described as:

        Fixes a potential denial of service attack related
        to the kernel following symbolic links when writing core files.

which I expect fixes the problem once and for all. The initial release of 3.0
attempted to fix the problem differently and failed. :-) The M300-023 patch,
as nearly as I can tell, doesn't disable SUID core dumps altogether but
does prevent them from following symlinks.

Unfortunately, upgrading to 3.0 requires you to pay BSDI. :-( However, if you
have access to sources, you can always download that patch yourself, unpack
it and apply the source patches included.

If you don't have access to sources, I've back-ported the patch (in a rough
& ready fashion) and can supply the modified object file (kern_sig.o)
to BSDI licensees. Licence conditions preclude my making it available for
public download without explicit permission from BSDI. :-(

                ...Ronny
--
 Ronald Cook, Technical Manager - Message Handling Systems/The Message eXchange
 Email: ronny () tmx com au ----- Phone: +61-2-9550-4448 ---- Fax: +61-2-9519-2551

All opinions are my own and not those of TMX unless explicitly stated otherwise.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault