From owner-freebsd-security  Wed Feb 19 04:37:10 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id EAA20488
          for security-outgoing; Wed, 19 Feb 1997 04:37:10 -0800 (PST)
Received: from magrathea.chance.ru (root@magrathea.chance.ru [194.58.86.1])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id EAA20482
          for <security@freebsd.org>; Wed, 19 Feb 1997 04:37:02 -0800 (PST)
Received: (from caseq@localhost) by magrathea.chance.ru (8.6.12/8.6.12) id PAA10870; Wed, 19 Feb 1997 15:34:56 +0300
From: Andrew Kosyakov <caseq@magrathea.chance.ru>
Message-Id: <199702191234.PAA10870@magrathea.chance.ru>
Subject: Re: Coredumps and setuids .. interesting..
To: rbezuide@oskar.nanoteq.co.za (Reinier Bezuidenhout)
Date: Wed, 19 Feb 1997 15:34:56 +0300 (MSK)
Cc: dg@root.com, jas@flyingfox.COM, security@freebsd.org
In-Reply-To: <199702190856.KAA26329@oskar.nanoteq.co.za> from "Reinier Bezuidenhout" at Feb 19, 97 10:56:11 am
Organization: Chance Publishing House
X-Mailer: ELM [version 2.4 PL24 ME8a]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Quoting Reinier Bezuidenhout:

> > to being killed in a way that would cause a core dump. Everyone prior to you
> > who has looked at the resulting core file (me included) has found that it
> > contained only the encrypted password for the user's own account, and not
> > any others. I'm rather surprised that you are saying that it contains other
> > users' encrypted passwords...
> and in there are ALL the users and their encrypted passwords, I can
> mail it ... but would rather not :) ...  but seeing that 2.1.7
Perhaps, many people fixed their libc since that similar case with wu-ftpd.
The solution is to patch dbm code the zero out all memory being free()'d, so
that when password database is closed by endpwent() called from some
getpwname(), all passwords (except the one being returned) are erased from
memory. The following changes were suggested by someone from OpenBSD project,
but still work great for FreeBSD (the file in question is in
/usr/src/lib/libc/db/hash/):


--- hash_buf.c.old	Tue Oct 15 14:24:48 1996
+++ hash_buf.c	Tue Oct 15 14:24:13 1996
@@ -324,7 +324,10 @@
 		/* Check if we are freeing stuff */
 		if (do_free) {
 			if (bp->page)
+			{
+				memset(bp->page,0,hashp->BSIZE);
 				free(bp->page);
+			}
 			BUF_REMOVE(bp);
 			free(bp);
 			bp = LRU;


-- 
Sincerely yours
							/&rew

***
Andrew V. Kosyakov, Chance Publishing House, System Administrator
caseq@chance.ru, 2:5030/31@Fidonet.Org, +7(812)210-8046
PGP key fingerprint: BA A8 48 20 E4 AE 9C 52  C5 5F C3 B8 1E 67 2C BF