From owner-freebsd-security Tue Oct 15 08:53:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA15646 for security-outgoing; Tue, 15 Oct 1996 08:53:48 -0700 (PDT) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA15634 for ; Tue, 15 Oct 1996 08:53:39 -0700 (PDT) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id IAA28499; Tue, 15 Oct 1996 08:53:39 -0700 From: Nathan Lawson Message-Id: <199610151553.IAA28499@kdat.calpoly.edu> Subject: Re: bin/1805: Bug in ftpd To: marcs@znep.com (Marc Slemko) Date: Tue, 15 Oct 1996 08:53:38 -0700 (PDT) Cc: freebsd-security@freebsd.org In-Reply-To: from "Marc Slemko" at Oct 14, 96 12:14:55 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > >Description: > > While user is connected to server via ftp, the process ftpd is owned > > by this user. When ftpd is abnormally termineted (e.g. kill -11 ) > > the memory image of this process is writed to file ftpd.core in home dir. > > This file contain encrypted passwords all users on this machine. > > > > > > >How-To-Repeat: > > 1. ftp localhost > > name: username > > password: **** > > 2. On second terminal: > > a) ps -ax | grep localhost > > b) kill -11 > > c) strings ~/ftpd.core | less (you will see all encrypted passwords). > > + > + /* > + * prevent ftpd from dumping core; necessary to prevent a user > + * from getting a core file with privileged information in > + */ > + rlim.rlim_cur = rlim.rlim_max = 0; > + if (setrlimit(RLIMIT_CORE, &rlim) != 0) { > + syslog(LOG_ERR, "setrlimit(RLIMIT_CORE, &rlim) failed"); > + exit(1); > + } > + This isn't a fix. Remember the principle of least privilege: if something doesn't need certain privileges, revoke them. In this case, the ftpd is running as the user. This means that all resources of ftpd are also owned by the user, including any inherited fds and memory. Your patch only fixes one instance of this attack, preventing core dumps. It is trivial to get around it by using ptrace to attach to the process and read the memory containing the encrypted passwords. The real fix is to close the password file and zero any associated memory immediately before the ftpd enters the user domain via setuid(). A user-level program does not need any authentication data (like passwords) and thus should not have any access to them. It's impossible to steal data that just isn't there. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854