From owner-freebsd-security  Tue Oct 15 12:54:34 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA04000
          for security-outgoing; Tue, 15 Oct 1996 12:54:34 -0700 (PDT)
Received: from xmission.xmission.com (softweyr@xmission.xmission.com [198.60.22.2])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA03995
          for <freebsd-security@FreeBSD.org>; Tue, 15 Oct 1996 12:54:32 -0700 (PDT)
Received: (from softweyr@localhost) by xmission.xmission.com (8.7.6/8.7.5) id NAA22380; Tue, 15 Oct 1996 13:54:29 -0600 (MDT)
From: Softweyr LLC <softweyr@xmission.com>
Message-Id: <199610151954.NAA22380@xmission.xmission.com>
Subject: Re: bin/1805: Bug in ftpd
To: karl@Mcs.Net (Karl Denninger)
Date: Tue, 15 Oct 1996 13:54:28 -0600 (MDT)
Cc: freebsd-security@FreeBSD.org
In-Reply-To: <199610151837.NAA16749@Jupiter.Mcs.Net> from "Karl Denninger" at Oct 15, 96 01:37:36 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Nate Lawson stated:
% The real fix is to close the password file and zero any associated memory
% immediately before the ftpd enters the user domain via setuid().  A user-level
% program does not need any authentication data (like passwords) and thus should
% not have any access to them.  
% 
% It's impossible to steal data that just isn't there.

Karl Denninger replied:
> Fundamentally, "endpwent()" should do this.
> 
> But it does not.
> 
> I suggest that the problem be patched there.  That fixes *all* instances of
> this attack, provided that the code writers take a modicum of interest in
> the issue (ie: closing out open resources).

Right.  It should also overwrite and then free any allocated buffers that
may contain secure information, such as encrypted passwords.  This would
assure us that a program whose euid has changed won't "inherit" any memory
with critical information in it.  Overwriting guarantees the critical data
won't be left somewhere in the heap, even in free'd blocks.

(BTW, is anal retentive supposed to be hyphenated?  ;^)

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com