COMMAND

    coredumps

SYSTEMS AFFECTED

    BSD/OS 2.x

PROBLEM

    Denis Papp posted  following.  Patch  K210-029 may lead  people to
    have  wrong  opinion.   Quote:  "This  patch  addresses a security
    problem with core dumps from setuid programs."

    Apparently this  patch does  not fix  the problem  where coredumps
    follow symlinks.   If a  user knows  how to  core dump  any setuid
    root program  that user  can then  clobber any  file on the system
    (/root/.rhosts,    /etc/passwd,    /etc/hosts.equiv,    whatever).
    Furthermore  if  that  user  knows  how  to  clobber a setuid root
    program that calls getpass* then the user can get all the shadowed
    passwords (not quite all (depending  on the size of your  password
    file), but certainly some).

    This is easy to verify by  creating a simple setuid root app  that
    core  dumps  and  then  making  a  symbolic  link from app.core to
    /root/.rhosts.   If  your  system  accepts  '+  +' anywhere in the
    .rhosts file you can put that in your env to get root access.

SOLUTION

    There  is  a  later  patch  for  BSD/OS  3.0  (M300-023)  which is
    described as:

        Fixes  a  potential  denial  of  service attack related to the
        kernel following symbolic links when writing core files.

    which should fix the problem once and for all. The initial release
    of 3.0 attempted to fix  the problem differently and failed.   The
    M300-023 patch,  doesn't disable  SUID core  dumps altogether  but
    does  prevent  them   from  following  symlinks.    Unfortunately,
    upgrading to 3.0 requires you to pay BSDI.