imapd/ipop3d coredump in slackware 3.4

Peter van Dijk (peter@ATTIC.VUURWERK.NL)
Mon, 02 Feb 1998 00:08:17 +0100

[attic bug report nr. 1]

While fooling around a little with NIS/YP (didn't get it completely
working...) I ran into a bug in the imapd and ipop3d that come with
slackware 3.4 (if you install the pine package).
Earlier slackware versions will problably NOT suffer from this bug,
because they did not include shadowing.

When fed an unknown username, imapd and ipop3d will dump core:

[root@koek] /# telnet zopie 110
Trying 10.10.13.1...
Connected to zopie.attic.vuurwerk.nl.
Escape character is '^]'.
+OK zopie.attic.vuurwerk.nl POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Washington.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET)
user root
+OK User name accepted, password please
pass linux
[this is not the correct password]
-ERR Bad login
user john
[i have no user named john]
+OK User name accepted, password please
pass doe
Connection closed by foreign host.

At this point ipop3d coredumps in /core:

[root@zopie] /# strings core | grep -A3 root
root
[crypted pw here]

10244
Sun Feb 1 23:45:15 1998

--
root:[crypted pw here]:10244:0:::::
halt:*:9797:0:::::
operator:*:9797:0:::::
shutdown:*:9797:0:::::
[looks like my /etc/shadow ;(]
--
root:[crypted pw here]:10244:0:::::
john
koek.attic.vuurwerk.nl
PASS

[I removed the pw because it's my own ;)]

Same goes for imapd: Connected to zopie.attic.vuurwerk.nl. * OK zopie.attic.vuurwerk.nl IMAP2bis Service 7.8(100) at Sun, 1 Feb 1998 23:53:00 +0100 (CET) A001 LOGIN root linux A001 NO Bad LOGIN user name and/or password A002 LOGIN john doe Connection closed by foreign host.

Doing the strings/grep again gives about the same result.

Running this under strace shows that the program reads /etc/passwd and closes it again, then reopens it (to try the username in lowercase) and reads again, followed by a SIGSEGV.

The bug is in (one of) the patches and diffs that are applied to support shadowing in Linux. The problem is in log_lnx.c.diff.gz: - if (!(pw && pw->pw_uid)) return NIL; +/* if (!(pw && pw->pw_uid)) return NIL; */

I have no idea why this check is removed (the programs continue to keep working with this check enabled), but it breaks the whole thing. A couple more patches are applied, after which 'build lnx' is executed. Apparently Patrick Volkerding (maintainer of SlackWare, real cool guy I think) didn't realize that 'build slx' does about the same, only safe...

Note that the dumped core is mode 600, _unless_ /core already exists, in which case it's permissions are retained.

Greetz, Peter.

P.S. Does anybody know where a process like ipop3d leaves it's coredumps _after_ the user has logged in, so that it's running under the users' id?