Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Oct 1996 13:37:36 -0500 (CDT)
From:      Karl Denninger  <karl@Mcs.Net>
To:        nlawson@kdat.csc.calpoly.edu (Nathan Lawson)
Cc:        marcs@znep.com, freebsd-security@freebsd.org
Subject:   Re: bin/1805: Bug in ftpd
Message-ID:  <199610151837.NAA16749@Jupiter.Mcs.Net>
In-Reply-To: <199610151553.IAA28499@kdat.calpoly.edu> from "Nathan Lawson" at Oct 15, 96 08:53:38 am

next in thread | previous in thread | raw e-mail | index | archive | help
> > > >Description:
> > > While user is connected to server via ftp, the process ftpd is owned
> > > by this user. When ftpd is abnormally termineted (e.g. kill -11 <ftpd-id>)
> > > the memory image of this process is writed to file ftpd.core in home dir.
> > > This file contain encrypted passwords all users on this machine.
> > > 
> > > 
> > > >How-To-Repeat:
> > > 1. ftp localhost
> > >   name: username
> > >   password: ****
> > > 2. On second terminal:
> > >   a) ps -ax | grep localhost
> > >   b) kill -11 <PID>
> > >   c) strings ~/ftpd.core | less (you will see all encrypted passwords).
> >
> > + 
> > + 	/* 
> > + 	 * prevent ftpd from dumping core; necessary to prevent a user
> > + 	 * from getting a core file with privileged information in
> > + 	 */
> > +         rlim.rlim_cur = rlim.rlim_max = 0;
> > +         if (setrlimit(RLIMIT_CORE, &rlim) != 0) {
> > + 		syslog(LOG_ERR, "setrlimit(RLIMIT_CORE, &rlim) failed");
> > + 		exit(1);
> > + 	}
> > + 
> 
> This isn't a fix.  Remember the principle of least privilege:  if something
> doesn't need certain privileges, revoke them.  In this case, the ftpd is
> running as the user.  This means that all resources of ftpd are also owned
> by the user, including any inherited fds and memory.  Your patch only fixes
> one instance of this attack, preventing core dumps.  It is trivial to get 
> around it by using ptrace to attach to the process and read the memory
> containing the encrypted passwords.
> 
> The real fix is to close the password file and zero any associated memory
> immediately before the ftpd enters the user domain via setuid().  A user-level
> program does not need any authentication data (like passwords) and thus should
> not have any access to them.  
> 
> It's impossible to steal data that just isn't there.
> 
> -- 
> Nate Lawson                  "There are a thousand hacking at the branches of
> CPE Senior                    evil to one who is striking at the root."
> CSL Admin                              -- Henry David Thoreau, 'Walden', 1854

Fundamentally, "endpwent()" should do this.

But it does not.

I suggest that the problem be patched there.  That fixes *all* instances of
this attack, provided that the code writers take a modicum of interest in
the issue (ie: closing out open resources).

--
--
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl     | T1 from $600 monthly; speeds to DS-3 available
			     | 23 Chicagoland Prefixes, 13 ISDN, much more
Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/
Fax:   [+1 312 248-9865]     | Home of Chicago's only FULL Clarinet feed!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610151837.NAA16749>