From owner-freebsd-security Mon Oct 14 16:06:31 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA03994 for security-outgoing; Mon, 14 Oct 1996 16:06:31 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA03989 for ; Mon, 14 Oct 1996 16:06:29 -0700 (PDT) Received: from fubar.cl.msu.edu (fubar.cl.msu.edu [35.8.1.18]) by who.cdrom.com (8.7.5/8.6.11) with SMTP id QAA22045 for ; Mon, 14 Oct 1996 16:06:08 -0700 (PDT) Received: (from evans@localhost) by fubar.cl.msu.edu (8.6.12/8.6.12) id TAA01206; Mon, 14 Oct 1996 19:01:59 -0400 Date: Mon, 14 Oct 1996 19:01:59 -0400 From: Jeff Evans Message-Id: <199610142301.TAA01206@fubar.cl.msu.edu> To: freebsd-security@freebsd.org Subject: Re: bin/1805: Bug in ftpd X-Newsreader: NN version 6.5.0 #1 (NOV) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Marc Slemko wrote: > A more permanent fix to the source may be something along the lines of the > below patch (against RELENG_2_1_5_RELEASE), but there should be an > official fix out in the next little bit: > > >I'm not really happy with this fix as well, but it's better than nothing., >The reason being that if ftp wants to dump core, it should dump core. >If you prohibit this you'll never be able to debug any problems after >somethuing went wrong. What should be done is make sure the buffers containing >the sensitive info are cleared as soon as the info has been used. >The same problem could show up with any other suid root program that reads >the password databases. (if that is indeed the happening. It might also be >that just the users password string is dumped only.) > >I'll investigate things tomorrow evening. > >-Guido At least on a FreeBSD 2.1.0-RELEASE #0 running wu-ftp version wu-2.4(3), an ftpd core file shows about 33 encrypted entries in a password file of 667. I didn't use the exact work around posted, but the following seemed to do the job: #!/usr/local/bin/tcsh limit -h coredumpsize 0 exec /usr/local/ftpd/libexec/ftpd $argv entry from /etc/inetd.conf: ftp stream tcp nowait root /usr/local/ftpd/libexec/ftpd.wrapper ftpd I attempted to cause a core file using Qualicomm's qpopper2.2, but couldn't get it to leave a core file (possibly due to insufficient quota or the working directory being /). Are there any other programs that use getpwnam or the like that run as root and then switch to a user after? Jeff -- -------------------------------------------------------------------------- Jeff Evans - evans@msu.edu - http://clunix.cl.msu.edu/~evans --------------------------------------------------------------------------