Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Feb 1997 10:56:11 +0200 (SAT)
From:      Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za>
To:        dg@root.com
Cc:        jas@flyingfox.COM, security@freebsd.org
Subject:   Re: Coredumps and setuids .. interesting..
Message-ID:  <199702190856.KAA26329@oskar.nanoteq.co.za>
In-Reply-To: <199702190757.XAA11039@root.com> from David Greenman at "Feb 18, 97 11:57:08 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
Hi ...

> 
>    I've explained this several times already, but here goes again:
> 
>    There was a bug in the kernel where it didn't pass the P_SUGID flag onto
> the child of a fork. rlogin is a special case setuid binary in that it forks
> and doesn't follow that with an exec. The child process was then vulnerable
> to being killed in a way that would cause a core dump. Everyone prior to you
> who has looked at the resulting core file (me included) has found that it
> contained only the encrypted password for the user's own account, and not
> any others. I'm rather surprised that you are saying that it contains other
> users' encrypted passwords...
>    In any case, that bug has been fixed in 2.1.7 and later versions of
> FreeBSD.
> 

Sorry for letting you repeat it for the 64 234 time :) :)

Why I posted this is that I though someone said it was fixed in 2.1.6,
but I was wrong since I noticed (tested) it on 2.1.7 and later and
it does NOT work there.

I do have a 
strings rlogin.core 

and in there are ALL the users and their encrypted passwords, I can
mail it ... but would rather not :) ...  but seeing that 2.1.7
has been released, there is no point in worrying about this anymore
... right ?

Thanx for your time
Reinier





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702190856.KAA26329>