Re: su core dumped with signal 3. BSD/OS 3.0, 3.1

From: Peter Pentchev (roamat_private)
Date: Tue Mar 11 2003 - 23:19:00 PST

Next message: Sir Mordred: "Mordred Security Labs now online"

Previous message: Ivan Aleksandrov: "su core dumped with signal 3. BSD/OS 3.0, 3.1"
In reply to: Ivan Aleksandrov: "su core dumped with signal 3. BSD/OS 3.0, 3.1"
Next in thread: Marco Ivaldi: "Re: su core dumped with signal 3. BSD/OS 3.0, 3.1"
Reply: Marco Ivaldi: "Re: su core dumped with signal 3. BSD/OS 3.0, 3.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 11, 2003 at 05:30:03PM -0000, Ivan Aleksandrov wrote:
> 
> 
> rayd@mtelecom:~$ id
> uid=127(rayd) gid=0(wheel) groups=0(wheel)
> rayd@mtelecom:~$ su		<------------- (I send "control symbol")
> Password:Quit (core dumped)  	
> rayd@mtelecom:~$
> 
> rayd@mtelecom:~$ uname -srm
> BSD/OS 3.1 i386
> rayd@mtelecom:~$ ls -la `whereis su`
> -r-sr-xr-x  1 root  bin  2868 Jan 21  1997 /usr/bin/su*
> rayd@mtelecom:~$ ls -la su.core
> -rw-------  1 root  wheel  184320 Mar 11 22:17 su.core
> 
> root@mtelecom:/usr/home/rayd# gdb --core=su.core
> GDB 4.16 (i386-unknown-bsdi3.0), Copyright 1996 Free Software Foundation, 
> Inc.
> Core was generated by `su'.
> Program terminated with signal 3, Quit.
> #0  0xa004cbde in ?? ()
> 
> It is a serious bug?
> Possible to write exploit? or with signal 3 it's impossible?
> 
> WTF?

If the 'control symbol' was Ctrl-\, then this is expected behavior: this
key combination is *supposed* to send a QUIT signal to the application,
and the default action on SIGQUIT in all OS's is to terminate the
process and create a core file.  However, the core file is created as
the user the application is currently running as: if you cannot read
root-owned files, you cannot access the information within the corefile,
thus there is no information leak here (and if you *can* read root-owned
files, then you already have access to much sensitive information that
will help you go the rest of the way).

As to exploiting, no, I don't think you can exploit this: the core here
is a result of the kernel processing a signal sent to the process, not
of some overflow or invalid memory access or similar.

It might be argued that su(1) and similar programs should catch a couple
of signals and not leave core files lying around, but this is a
different topic IMHO.  In short, no, you can neither exploit this nor
gain information from it.

G'luck,
Peter

-- 
Peter Pentchev	roamat_private    roamat_private    roamat_private
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I am the meaning of this sentence.

application/pgp-signature attachment: stored

Next message: Sir Mordred: "Mordred Security Labs now online"
Previous message: Ivan Aleksandrov: "su core dumped with signal 3. BSD/OS 3.0, 3.1"
In reply to: Ivan Aleksandrov: "su core dumped with signal 3. BSD/OS 3.0, 3.1"
Next in thread: Marco Ivaldi: "Re: su core dumped with signal 3. BSD/OS 3.0, 3.1"
Reply: Marco Ivaldi: "Re: su core dumped with signal 3. BSD/OS 3.0, 3.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 08:00:58 PST