On Tue, Mar 11, 2003 at 05:30:03PM -0000, Ivan Aleksandrov wrote: > > > rayd@mtelecom:~$ id > uid=127(rayd) gid=0(wheel) groups=0(wheel) > rayd@mtelecom:~$ su <------------- (I send "control symbol") > Password:Quit (core dumped) > rayd@mtelecom:~$ > > rayd@mtelecom:~$ uname -srm > BSD/OS 3.1 i386 > rayd@mtelecom:~$ ls -la `whereis su` > -r-sr-xr-x 1 root bin 2868 Jan 21 1997 /usr/bin/su* > rayd@mtelecom:~$ ls -la su.core > -rw------- 1 root wheel 184320 Mar 11 22:17 su.core > > root@mtelecom:/usr/home/rayd# gdb --core=su.core > GDB 4.16 (i386-unknown-bsdi3.0), Copyright 1996 Free Software Foundation, > Inc. > Core was generated by `su'. > Program terminated with signal 3, Quit. > #0 0xa004cbde in ?? () > > It is a serious bug? > Possible to write exploit? or with signal 3 it's impossible? > > WTF? If the 'control symbol' was Ctrl-\, then this is expected behavior: this key combination is *supposed* to send a QUIT signal to the application, and the default action on SIGQUIT in all OS's is to terminate the process and create a core file. However, the core file is created as the user the application is currently running as: if you cannot read root-owned files, you cannot access the information within the corefile, thus there is no information leak here (and if you *can* read root-owned files, then you already have access to much sensitive information that will help you go the rest of the way). As to exploiting, no, I don't think you can exploit this: the core here is a result of the kernel processing a signal sent to the process, not of some overflow or invalid memory access or similar. It might be argued that su(1) and similar programs should catch a couple of signals and not leave core files lying around, but this is a different topic IMHO. In short, no, you can neither exploit this nor gain information from it. G'luck, Peter -- Peter Pentchev roamat_private roamat_private roamat_private PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence.
This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 08:00:58 PST