Date: Tue, 15 Oct 1996 08:53:38 -0700 (PDT) From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu> To: marcs@znep.com (Marc Slemko) Cc: freebsd-security@freebsd.org Subject: Re: bin/1805: Bug in ftpd Message-ID: <199610151553.IAA28499@kdat.calpoly.edu> In-Reply-To: <Pine.BSF.3.95.961014121116.4318C-100000@alive.ampr.ab.ca> from "Marc Slemko" at Oct 14, 96 12:14:55 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > >Description:
> > While user is connected to server via ftp, the process ftpd is owned
> > by this user. When ftpd is abnormally termineted (e.g. kill -11 <ftpd-id>)
> > the memory image of this process is writed to file ftpd.core in home dir.
> > This file contain encrypted passwords all users on this machine.
> >
> >
> > >How-To-Repeat:
> > 1. ftp localhost
> > name: username
> > password: ****
> > 2. On second terminal:
> > a) ps -ax | grep localhost
> > b) kill -11 <PID>
> > c) strings ~/ftpd.core | less (you will see all encrypted passwords).
>
> +
> + /*
> + * prevent ftpd from dumping core; necessary to prevent a user
> + * from getting a core file with privileged information in
> + */
> + rlim.rlim_cur = rlim.rlim_max = 0;
> + if (setrlimit(RLIMIT_CORE, &rlim) != 0) {
> + syslog(LOG_ERR, "setrlimit(RLIMIT_CORE, &rlim) failed");
> + exit(1);
> + }
> +
This isn't a fix. Remember the principle of least privilege: if something
doesn't need certain privileges, revoke them. In this case, the ftpd is
running as the user. This means that all resources of ftpd are also owned
by the user, including any inherited fds and memory. Your patch only fixes
one instance of this attack, preventing core dumps. It is trivial to get
around it by using ptrace to attach to the process and read the memory
containing the encrypted passwords.
The real fix is to close the password file and zero any associated memory
immediately before the ftpd enters the user domain via setuid(). A user-level
program does not need any authentication data (like passwords) and thus should
not have any access to them.
It's impossible to steal data that just isn't there.
--
Nate Lawson "There are a thousand hacking at the branches of
CPE Senior evil to one who is striking at the root."
CSL Admin -- Henry David Thoreau, 'Walden', 1854
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610151553.IAA28499>