Date: 15 Oct 1996 00:40:46 +0200 From: Assar Westerlund <assar@sics.se> To: Marc Slemko <marcs@znep.com> Cc: Guido van Rooij <guido@gvr.win.tue.nl>, freebsd-security@FreeBSD.org Subject: Re: bin/1805: Bug in ftpd Message-ID: <5lvicd6ufk.fsf@assaris.sics.se> In-Reply-To: Marc Slemko's message of Mon, 14 Oct 1996 15:52:18 -0600 (MDT) References: <Pine.BSF.3.95.961014150514.4318G-100000@alive.ampr.ab.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Marc Slemko <marcs@znep.com> writes:
> On Mon, 14 Oct 1996, Guido van Rooij wrote:
>
> > Marc Slemko wrote:
> > > A more permanent fix to the source may be something along the lines of the
> > > below patch (against RELENG_2_1_5_RELEASE), but there should be an
> > > official fix out in the next little bit:
> > >
> >
> > the sensitive info are cleared as soon as the info has been used.
> > The same problem could show up with any other suid root program that reads
> > the password databases. (if that is indeed the happening. It might also be
> > that just the users password string is dumped only.)
>
> I agree that ftpd should be able to dump core if it wants to, but don't
> see an obvious solution that can be implemented in the ftpd code. From a
> quick look at ftpd.c, it seems to be doing the logical thing and simply
> calling getpwnam(3) to get the user info. This means that either the
> memory would have to be cleared by getpwnam, or some horribly inefficient
> hack would have to be put in ftpd.
I think this is a more general problem. And sometimes it's even
worse. Look at login:
/* Discard permissions last so can't get killed and drop core. */
if (rootlogin)
(void) setuid(0);
else
(void) setuid(pwd->pw_uid);
if (changepass) {
int res;
if ((res=system(_PATH_CHPASS)))
sleepexit(1);
}
execlp(pwd->pw_shell, tbuf, 0);
err(1, "%s", pwd->pw_shell);
}
After the setuid, I will be able to make it dump core, or even better
use `ptrace' and then login will still have the file descriptor
pointing to /etc/spwd.db open and I can make it read the complete
shadow file.
> I haven't investigated this too far yet, but the idea of having the
> getpwent code clear each buffer it uses before freeing it may be practical
> and doesn't look too complex. That shouldn't create too much overhead and
> could certainly benefit more than ftpd.
Why don't make endpwent clear the area and make ftpd & c:o call it?
/assar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5lvicd6ufk.fsf>