Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Oct 1996 13:54:28 -0600 (MDT)
From:      Softweyr LLC <softweyr@xmission.com>
To:        karl@Mcs.Net (Karl Denninger)
Cc:        freebsd-security@FreeBSD.org
Subject:   Re: bin/1805: Bug in ftpd
Message-ID:  <199610151954.NAA22380@xmission.xmission.com>
In-Reply-To: <199610151837.NAA16749@Jupiter.Mcs.Net> from "Karl Denninger" at Oct 15, 96 01:37:36 pm

next in thread | previous in thread | raw e-mail | index | archive | help
Nate Lawson stated:
% The real fix is to close the password file and zero any associated memory
% immediately before the ftpd enters the user domain via setuid().  A user-level
% program does not need any authentication data (like passwords) and thus should
% not have any access to them.  
% 
% It's impossible to steal data that just isn't there.

Karl Denninger replied:
> Fundamentally, "endpwent()" should do this.
> 
> But it does not.
> 
> I suggest that the problem be patched there.  That fixes *all* instances of
> this attack, provided that the code writers take a modicum of interest in
> the issue (ie: closing out open resources).

Right.  It should also overwrite and then free any allocated buffers that
may contain secure information, such as encrypted passwords.  This would
assure us that a program whose euid has changed won't "inherit" any memory
with critical information in it.  Overwriting guarantees the critical data
won't be left somewhere in the heap, even in free'd blocks.

(BTW, is anal retentive supposed to be hyphenated?  ;^)

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610151954.NAA22380>