Date: Tue, 15 Oct 1996 13:37:36 -0500 (CDT) From: Karl Denninger <karl@Mcs.Net> To: nlawson@kdat.csc.calpoly.edu (Nathan Lawson) Cc: marcs@znep.com, freebsd-security@freebsd.org Subject: Re: bin/1805: Bug in ftpd Message-ID: <199610151837.NAA16749@Jupiter.Mcs.Net> In-Reply-To: <199610151553.IAA28499@kdat.calpoly.edu> from "Nathan Lawson" at Oct 15, 96 08:53:38 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > > >Description:
> > > While user is connected to server via ftp, the process ftpd is owned
> > > by this user. When ftpd is abnormally termineted (e.g. kill -11 <ftpd-id>)
> > > the memory image of this process is writed to file ftpd.core in home dir.
> > > This file contain encrypted passwords all users on this machine.
> > >
> > >
> > > >How-To-Repeat:
> > > 1. ftp localhost
> > > name: username
> > > password: ****
> > > 2. On second terminal:
> > > a) ps -ax | grep localhost
> > > b) kill -11 <PID>
> > > c) strings ~/ftpd.core | less (you will see all encrypted passwords).
> >
> > +
> > + /*
> > + * prevent ftpd from dumping core; necessary to prevent a user
> > + * from getting a core file with privileged information in
> > + */
> > + rlim.rlim_cur = rlim.rlim_max = 0;
> > + if (setrlimit(RLIMIT_CORE, &rlim) != 0) {
> > + syslog(LOG_ERR, "setrlimit(RLIMIT_CORE, &rlim) failed");
> > + exit(1);
> > + }
> > +
>
> This isn't a fix. Remember the principle of least privilege: if something
> doesn't need certain privileges, revoke them. In this case, the ftpd is
> running as the user. This means that all resources of ftpd are also owned
> by the user, including any inherited fds and memory. Your patch only fixes
> one instance of this attack, preventing core dumps. It is trivial to get
> around it by using ptrace to attach to the process and read the memory
> containing the encrypted passwords.
>
> The real fix is to close the password file and zero any associated memory
> immediately before the ftpd enters the user domain via setuid(). A user-level
> program does not need any authentication data (like passwords) and thus should
> not have any access to them.
>
> It's impossible to steal data that just isn't there.
>
> --
> Nate Lawson "There are a thousand hacking at the branches of
> CPE Senior evil to one who is striking at the root."
> CSL Admin -- Henry David Thoreau, 'Walden', 1854
Fundamentally, "endpwent()" should do this.
But it does not.
I suggest that the problem be patched there. That fixes *all* instances of
this attack, provided that the code writers take a modicum of interest in
the issue (ie: closing out open resources).
--
--
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl | T1 from $600 monthly; speeds to DS-3 available
| 23 Chicagoland Prefixes, 13 ISDN, much more
Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/
Fax: [+1 312 248-9865] | Home of Chicago's only FULL Clarinet feed!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610151837.NAA16749>