From owner-freebsd-security Tue Oct 15 11:38:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA27948 for security-outgoing; Tue, 15 Oct 1996 11:38:43 -0700 (PDT) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA27925 for ; Tue, 15 Oct 1996 11:38:36 -0700 (PDT) Received: from mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by Kitten.mcs.com (8.8.0/8.8.Beta.3) with SMTP id NAA01940; Tue, 15 Oct 1996 13:37:44 -0500 (CDT) Received: by mailbox.mcs.com (/\==/\ Smail3.1.28.1 #28.15) id ; Tue, 15 Oct 96 13:37 CDT Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.Beta.6/8.8.Beta.3) id NAA16749; Tue, 15 Oct 1996 13:37:36 -0500 (CDT) From: Karl Denninger Message-Id: <199610151837.NAA16749@Jupiter.Mcs.Net> Subject: Re: bin/1805: Bug in ftpd To: nlawson@kdat.csc.calpoly.edu (Nathan Lawson) Date: Tue, 15 Oct 1996 13:37:36 -0500 (CDT) Cc: marcs@znep.com, freebsd-security@freebsd.org In-Reply-To: <199610151553.IAA28499@kdat.calpoly.edu> from "Nathan Lawson" at Oct 15, 96 08:53:38 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > >Description: > > > While user is connected to server via ftp, the process ftpd is owned > > > by this user. When ftpd is abnormally termineted (e.g. kill -11 ) > > > the memory image of this process is writed to file ftpd.core in home dir. > > > This file contain encrypted passwords all users on this machine. > > > > > > > > > >How-To-Repeat: > > > 1. ftp localhost > > > name: username > > > password: **** > > > 2. On second terminal: > > > a) ps -ax | grep localhost > > > b) kill -11 > > > c) strings ~/ftpd.core | less (you will see all encrypted passwords). > > > > + > > + /* > > + * prevent ftpd from dumping core; necessary to prevent a user > > + * from getting a core file with privileged information in > > + */ > > + rlim.rlim_cur = rlim.rlim_max = 0; > > + if (setrlimit(RLIMIT_CORE, &rlim) != 0) { > > + syslog(LOG_ERR, "setrlimit(RLIMIT_CORE, &rlim) failed"); > > + exit(1); > > + } > > + > > This isn't a fix. Remember the principle of least privilege: if something > doesn't need certain privileges, revoke them. In this case, the ftpd is > running as the user. This means that all resources of ftpd are also owned > by the user, including any inherited fds and memory. Your patch only fixes > one instance of this attack, preventing core dumps. It is trivial to get > around it by using ptrace to attach to the process and read the memory > containing the encrypted passwords. > > The real fix is to close the password file and zero any associated memory > immediately before the ftpd enters the user domain via setuid(). A user-level > program does not need any authentication data (like passwords) and thus should > not have any access to them. > > It's impossible to steal data that just isn't there. > > -- > Nate Lawson "There are a thousand hacking at the branches of > CPE Senior evil to one who is striking at the root." > CSL Admin -- Henry David Thoreau, 'Walden', 1854 Fundamentally, "endpwent()" should do this. But it does not. I suggest that the problem be patched there. That fixes *all* instances of this attack, provided that the code writers take a modicum of interest in the issue (ie: closing out open resources). -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1 from $600 monthly; speeds to DS-3 available | 23 Chicagoland Prefixes, 13 ISDN, much more Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 248-9865] | Home of Chicago's only FULL Clarinet feed!