Date: Wed, 19 Feb 1997 10:56:11 +0200 (SAT) From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> To: dg@root.com Cc: jas@flyingfox.COM, security@freebsd.org Subject: Re: Coredumps and setuids .. interesting.. Message-ID: <199702190856.KAA26329@oskar.nanoteq.co.za> In-Reply-To: <199702190757.XAA11039@root.com> from David Greenman at "Feb 18, 97 11:57:08 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Hi ... > > I've explained this several times already, but here goes again: > > There was a bug in the kernel where it didn't pass the P_SUGID flag onto > the child of a fork. rlogin is a special case setuid binary in that it forks > and doesn't follow that with an exec. The child process was then vulnerable > to being killed in a way that would cause a core dump. Everyone prior to you > who has looked at the resulting core file (me included) has found that it > contained only the encrypted password for the user's own account, and not > any others. I'm rather surprised that you are saying that it contains other > users' encrypted passwords... > In any case, that bug has been fixed in 2.1.7 and later versions of > FreeBSD. > Sorry for letting you repeat it for the 64 234 time :) :) Why I posted this is that I though someone said it was fixed in 2.1.6, but I was wrong since I noticed (tested) it on 2.1.7 and later and it does NOT work there. I do have a strings rlogin.core and in there are ALL the users and their encrypted passwords, I can mail it ... but would rather not :) ... but seeing that 2.1.7 has been released, there is no point in worrying about this anymore ... right ? Thanx for your time Reinier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702190856.KAA26329>