Re: L0pht Advisory: IMAP4rev1 imapd server

Kragen Sitaker (kragen@DNACO.NET)
Thu, 09 Oct 1997 10:12:26 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Runar Jensen: "Malicious Linux modules"
Previous message: Casper Dik: "Re: L0pht Advisory: IMAP4rev1 imapd server"
Maybe in reply to: (no name): "L0pht Advisory: IMAP4rev1 imapd server"

On Wed, 8 Oct 1997, Marc Slemko wrote:
> On Wed, 8 Oct 1997, We got Food - Fuel - Ice-cold Beer - and X.509 certificates wrote:
> > Scenario:
> >
> > It is possible to crash the imapd server in several possible places.
> > Due to the lack of handling for the SIGABRT signal and the nature
> > of the IMAP protocol in storing folders locally on the server; a core dump
> > is produced in the users current directory. This core dump contains the
> > password and shadow password files from the system.
>
> It should be noted that this only works on systems that allow a
> process that has changed UIDs since the last exec to core dump.
>
> Some, such as FreeBSD (and OpenBSD I would guess, and a dozen
> others), don't for exactly this reason. The same thing came
> up with ftpd a while back.

Now I know there have been some old security holes posted here on Bugtraq,
but this is an extreme case. I quote from the source of the Unix kernel,
version 6, out of the Lions book, on Sheet 40, copyright, J. Lions,
***1976***:

/*
* Create a core image on the file "core"
* If you are looking for protection glitches,
* there are probably a wealth of them here
* when this occurs to a suid command.

(Lines 4084 to 4088.)

That's at least 21 years this security hole has been known and described
in what's probably the most-read book among UNIX kernel hackers.

Kragen

Next message: Runar Jensen: "Malicious Linux modules"
Previous message: Casper Dik: "Re: L0pht Advisory: IMAP4rev1 imapd server"
Maybe in reply to: (no name): "L0pht Advisory: IMAP4rev1 imapd server"