Re: ps information leak in FreeBSD

From: Crist J. Clark (crist.clarkat_private)
Date: Tue Jan 07 2003 - 09:48:46 PST

Next message: Zero-X www.lobnan.de Team: "Vulnerabilties in Xynph FTP Server 1.0"

Previous message: Martin Schulze: "[SECURITY] [DSA 226-1] New xpdf-i packages fix arbitrary command execution"
In reply to: Jez Hancock: "Re: ps information leak in FreeBSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 07, 2003 at 09:18:00AM +0000, Jez Hancock wrote:
[snip]

> It's annoying in that I see a lot of users running mysql with the -u and -p options:
> 
> mysql -u user -p mypassword
> 
> on the commandline, thinking that this info will not show up in ps listings when ps
> is run by other users.  Ho hum...

Any program that asks for a password on the command line should have
the common decency to overwrite/obfuscate it, along the lines of,

	case 'p':
		passwd = optarg;
		optarg = "********";
		break;

So that it doesn't show up in any "ps" output.

Of course, there is still a window of vulnerability before the code is
executed, but any long-lived daemon has no excuse for not doing this.
-- 
Crist J. Clark                     |     cjclarkat_private
                                   |     cjclarkat_private
http://people.freebsd.org/~cjc/    |     cjcat_private

Next message: Zero-X www.lobnan.de Team: "Vulnerabilties in Xynph FTP Server 1.0"
Previous message: Martin Schulze: "[SECURITY] [DSA 226-1] New xpdf-i packages fix arbitrary command execution"
In reply to: Jez Hancock: "Re: ps information leak in FreeBSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 23:12:53 PST