On Wed, 12 Mar 2003, Peter Pentchev wrote: > On Tue, Mar 11, 2003 at 05:30:03PM -0000, Ivan Aleksandrov wrote: > > > > > > rayd@mtelecom:~$ id > > uid=127(rayd) gid=0(wheel) groups=0(wheel) > > rayd@mtelecom:~$ su <------------- (I send "control symbol") > > Password:Quit (core dumped) > > rayd@mtelecom:~$ > > > > rayd@mtelecom:~$ uname -srm > > BSD/OS 3.1 i386 > > rayd@mtelecom:~$ ls -la `whereis su` > > -r-sr-xr-x 1 root bin 2868 Jan 21 1997 /usr/bin/su* > > rayd@mtelecom:~$ ls -la su.core > > -rw------- 1 root wheel 184320 Mar 11 22:17 su.core [...] > If the 'control symbol' was Ctrl-\, then this is expected behavior: this > key combination is *supposed* to send a QUIT signal to the application, > and the default action on SIGQUIT in all OS's is to terminate the > process and create a core file. However, the core file is created as > the user the application is currently running as: if you cannot read > root-owned files, you cannot access the information within the corefile, > thus there is no information leak here (and if you *can* read root-owned > files, then you already have access to much sensitive information that > will help you go the rest of the way). > > As to exploiting, no, I don't think you can exploit this: the core here > is a result of the kernel processing a signal sent to the process, not > of some overflow or invalid memory access or similar. Just wondering. What happens if you create a symlink to .rhosts and manage to write a "+ +" in memory before coredump (i've not checked if it's possible in this particular situation)? Or maybe symlinking /etc/passwd and causing a DoS condition? This is just an example, but i'm not so sure it's not possible to exploit this behaviour of a setuid program... Please correct me if i'm plain wrong:) :raptor Antifork Research, Inc. 0xdeadbeef | raptor's labs http://www.antifork.org http://www.0xdeadbeef.info
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 08:59:00 PST