Today Mark wrote:

> I believe I have found a security vulnerability in dump, which, under the
> right conditions, allows any user with shell-access to gain root-privileges.
>
> When dumping to a file, dump writes this file chmod 644. When the
> root-partition is being backed-up, this leaves the dump-file vulnerable to
> scanning by unprivileged users for the duration of the dump.
>
> I tested this, and, as a non-privileged user, was able to extract the
> root-password from the dump-file using a simple regex:
> "(/root:(.*?):0:0::0:0:Superuser:/)". This, of course, based on the fact
> that /etc/master.passwd also becomes part of the dump-file.
>
> As to how high to rank this exploitability, I am not sure. Certain
> conditions need to be met. The dump must be made to file, and the
> unprivileged user must, naturally, know the name of the dump-file; and the
> dump, of course, must be made in multi-user mode.
>
> Still, I would feel a lot better if the FreeBSD development team made a
> small adjustment to dump, writing its dump-file chmod 600, which would
> immediately solve any and all exploitability.
>
> If people deem it serious enough, I will file a report.
>
> Thanks for listening.
>
> P.S. I understand, of course, that the dump-file, when written to a
> directory to which non-privileged users have no access, would still be safe.
> But I deem it best to make dump safe on its own, and not have its safety
> depend on external factors.

 Normally the master.passwd is backed up regularly by cron
(/var/backups), so maybe no need to backup it again.

hint: chflags nodump /etc/master.passwd

        -andrew

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to