From owner-freebsd-security Wed Feb 19 00:57:11 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA13113 for security-outgoing; Wed, 19 Feb 1997 00:57:11 -0800 (PST) Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [163.195.220.170]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA13108 for ; Wed, 19 Feb 1997 00:57:03 -0800 (PST) Received: (from rbezuide@localhost) by oskar.nanoteq.co.za (8.8.5/8.8.5) id KAA26329; Wed, 19 Feb 1997 10:56:12 +0200 (SAT) From: Reinier Bezuidenhout Message-Id: <199702190856.KAA26329@oskar.nanoteq.co.za> Subject: Re: Coredumps and setuids .. interesting.. In-Reply-To: <199702190757.XAA11039@root.com> from David Greenman at "Feb 18, 97 11:57:08 pm" To: dg@root.com Date: Wed, 19 Feb 1997 10:56:11 +0200 (SAT) Cc: jas@flyingfox.COM, security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi ... > > I've explained this several times already, but here goes again: > > There was a bug in the kernel where it didn't pass the P_SUGID flag onto > the child of a fork. rlogin is a special case setuid binary in that it forks > and doesn't follow that with an exec. The child process was then vulnerable > to being killed in a way that would cause a core dump. Everyone prior to you > who has looked at the resulting core file (me included) has found that it > contained only the encrypted password for the user's own account, and not > any others. I'm rather surprised that you are saying that it contains other > users' encrypted passwords... > In any case, that bug has been fixed in 2.1.7 and later versions of > FreeBSD. > Sorry for letting you repeat it for the 64 234 time :) :) Why I posted this is that I though someone said it was fixed in 2.1.6, but I was wrong since I noticed (tested) it on 2.1.7 and later and it does NOT work there. I do have a strings rlogin.core and in there are ALL the users and their encrypted passwords, I can mail it ... but would rather not :) ... but seeing that 2.1.7 has been released, there is no point in worrying about this anymore ... right ? Thanx for your time Reinier