From owner-freebsd-questions Tue Jan 7 9:42:19 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DFD937B401 for ; Tue, 7 Jan 2003 09:42:18 -0800 (PST) Received: from east.ath.cx (catv-50622a7a.nyircatv.broadband.hu [80.98.42.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1198243ED4 for ; Tue, 7 Jan 2003 09:42:16 -0800 (PST) (envelope-from witch@kronos.HomeUnix.com) X-Complaints-To: abuse@kronos.homeunix.com X-SMTP-Authenticated: CRAM-MD5 X-Message-Flag: Ditch the crappy mail client and get a real one! Received: from slave.kronos.homeunix.com (blqnle38q16t1u9y@slave.kronos.homeunix.com [10.1.1.1]) (authenticated bits=0) by east.ath.cx (8.12.7/8.12.7) with ESMTP id h07Hg9RK060029 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK) for ; Tue, 7 Jan 2003 18:42:09 +0100 (CET) (envelope-from witch@slave.east.ath.cx) Received: from slave.east.ath.cx (localhost [127.0.0.1]) by slave.kronos.homeunix.com (8.12.7/8.12.7) with ESMTP id h07HZsOS052503 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Tue, 7 Jan 2003 18:35:54 +0100 (CET) (envelope-from witch@slave.east.ath.cx) X-Authentication-Warning: slave.east.ath.cx: Host localhost [127.0.0.1] claimed to be slave.east.ath.cx Received: (from witch@localhost) by slave.east.ath.cx (8.12.7/8.12.6/Submit) id h07HZnwo052406; Tue, 7 Jan 2003 18:35:49 +0100 (CET) Date: Tue, 7 Jan 2003 18:35:49 +0100 (CET) From: Andrew Prewett Reply-To: Andrew Prewett To: freebsd-questions@FreeBSD.ORG Subject: Re: security vulnerability in dump In-Reply-To: <200301071548.H07FM0J93369@asarian-host.net> Message-ID: <20030107183359.A51290@slave.east.ath.cx> References: <200301071548.H07FM0J93369@asarian-host.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Today Mark wrote: > I believe I have found a security vulnerability in dump, which, under the > right conditions, allows any user with shell-access to gain root-privileges. > > When dumping to a file, dump writes this file chmod 644. When the > root-partition is being backed-up, this leaves the dump-file vulnerable to > scanning by unprivileged users for the duration of the dump. > > I tested this, and, as a non-privileged user, was able to extract the > root-password from the dump-file using a simple regex: > "(/root:(.*?):0:0::0:0:Superuser:/)". This, of course, based on the fact > that /etc/master.passwd also becomes part of the dump-file. > > As to how high to rank this exploitability, I am not sure. Certain > conditions need to be met. The dump must be made to file, and the > unprivileged user must, naturally, know the name of the dump-file; and the > dump, of course, must be made in multi-user mode. > > Still, I would feel a lot better if the FreeBSD development team made a > small adjustment to dump, writing its dump-file chmod 600, which would > immediately solve any and all exploitability. > > If people deem it serious enough, I will file a report. > > Thanks for listening. > > P.S. I understand, of course, that the dump-file, when written to a > directory to which non-privileged users have no access, would still be safe. > But I deem it best to make dump safe on its own, and not have its safety > depend on external factors. Normally the master.passwd is backed up regularly by cron (/var/backups), so maybe no need to backup it again. hint: chflags nodump /etc/master.passwd -andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message