Date: Tue, 7 Jan 2003 18:35:49 +0100 (CET) From: Andrew Prewett <andrew@kronos.HomeUnix.com> To: freebsd-questions@FreeBSD.ORG Subject: Re: security vulnerability in dump Message-ID: <20030107183359.A51290@slave.east.ath.cx> In-Reply-To: <200301071548.H07FM0J93369@asarian-host.net> References: <200301071548.H07FM0J93369@asarian-host.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Today Mark wrote: > I believe I have found a security vulnerability in dump, which, under the > right conditions, allows any user with shell-access to gain root-privileges. > > When dumping to a file, dump writes this file chmod 644. When the > root-partition is being backed-up, this leaves the dump-file vulnerable to > scanning by unprivileged users for the duration of the dump. > > I tested this, and, as a non-privileged user, was able to extract the > root-password from the dump-file using a simple regex: > "(/root:(.*?):0:0::0:0:Superuser:/)". This, of course, based on the fact > that /etc/master.passwd also becomes part of the dump-file. > > As to how high to rank this exploitability, I am not sure. Certain > conditions need to be met. The dump must be made to file, and the > unprivileged user must, naturally, know the name of the dump-file; and the > dump, of course, must be made in multi-user mode. > > Still, I would feel a lot better if the FreeBSD development team made a > small adjustment to dump, writing its dump-file chmod 600, which would > immediately solve any and all exploitability. > > If people deem it serious enough, I will file a report. > > Thanks for listening. > > P.S. I understand, of course, that the dump-file, when written to a > directory to which non-privileged users have no access, would still be safe. > But I deem it best to make dump safe on its own, and not have its safety > depend on external factors. Normally the master.passwd is backed up regularly by cron (/var/backups), so maybe no need to backup it again. hint: chflags nodump /etc/master.passwd -andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030107183359.A51290>