From owner-freebsd-questions  Tue Jan  7  7:48: 8 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F199037B401
	for <freebsd-questions@freebsd.org>; Tue,  7 Jan 2003 07:48:06 -0800 (PST)
Received: from mail9.atl.registeredsite.com (mail9.atl.registeredsite.com [64.224.219.83])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6E7B743EDC
	for <freebsd-questions@freebsd.org>; Tue,  7 Jan 2003 07:48:05 -0800 (PST)
	(envelope-from admin@asarian-host.net)
Received: from asarian-host.net (asarian-host.net [216.122.74.112])
	by mail9.atl.registeredsite.com (8.12.2/8.12.6) with ESMTP id h07Fm3pa003103
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT)
	for <freebsd-questions@freebsd.org>; Tue, 7 Jan 2003 10:48:04 -0500
Comments: To protect the identity of the sender, certain header
	fields are either not shown, or masked. Anonymous email
	addresses for asarians can be requested by filling in the
	appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi
Received: (from root@localhost)
	by asarian-host.net (8.11.6/8.11.0) id h07Fm3F93396
	for freebsd-questions@freebsd.org; Tue, 7 Jan 2003 16:48:03 +0100 (CET)
	(envelope-from admin@asarian-host.net)
Posted-Date: Tue, 7 Jan 2003 16:48:03 +0100 (CET)
From: Mark <admin@asarian-host.net>
Message-Id: <200301071548.H07FM0J93369@asarian-host.net>
Date: Tue, 7 Jan 2003 16:47:56 +0100
X-Authenticated-Sender: admin@asarian-host.net
Subject: security vulnerability in dump
X-Trace: XisT0f4uoFYTv11257cfKLTAm4D9XM5s1CQZ7jfpDzDgu7IlhsUtE80slKBuYNii
X-Complaints-To: abuse@asarian-host.net
X-Abuse-Info: Please be sure to forward a copy of ALL headers
X-Abuse-Info: Otherwise we are unable to process your complaint
Organization: Asarian-host
To: <freebsd-questions@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Auth: Asarian-host PGP signature
	iQEVAwUAPhr2sjFqW1BleBN9AQHO/wf+KMTiKiNeqCZ7ggvrjf4wIlKQrfHbzTPQ
	mhnXNriJX4JUHh7l6vm0GzyrbAZ2PvmEyGoZAonE7rNdpqJNras/E3pZ6L2eYKHv
	rk+/tbwzjb4njwjArUD8C9xr03yaIaaSfCR9oa1NGgl1d7Rc1xCP4vMfijzNEecJ
	fLxqrkD+KxTYEQGDrvUrtGgrsjktMTv1q8awsvLLFX62LBjfF5ePsoa4SYIo3U/x
	PaTwOfCxa0UuRSDVDL/N+Dui0h6tRTrWA3BoG22DPOzTTi/P3rJKT59H4EnCyCDf
	wBFi3CbZmTYVRKf5q2sLuBxiaDeryt0FPcwfeIOk7h7jMDSpxpZg/w==
	=dsh1
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I believe I have found a security vulnerability in dump, which, under the
right conditions, allows any user with shell-access to gain root-privileges.

When dumping to a file, dump writes this file chmod 644. When the
root-partition is being backed-up, this leaves the dump-file vulnerable to
scanning by unprivileged users for the duration of the dump.

I tested this, and, as a non-privileged user, was able to extract the
root-password from the dump-file using a simple regex:
"(/root:(.*?):0:0::0:0:Superuser:/)". This, of course, based on the fact
that /etc/master.passwd also becomes part of the dump-file.

As to how high to rank this exploitability, I am not sure. Certain
conditions need to be met. The dump must be made to file, and the
unprivileged user must, naturally, know the name of the dump-file; and the
dump, of course, must be made in multi-user mode.

Still, I would feel a lot better if the FreeBSD development team made a
small adjustment to dump, writing its dump-file chmod 600, which would
immediately solve any and all exploitability.

If people deem it serious enough, I will file a report.

Thanks for listening.

P.S. I understand, of course, that the dump-file, when written to a
directory to which non-privileged users have no access, would still be safe.
But I deem it best to make dump safe on its own, and not have its safety
depend on external factors.

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message