28 Jan
2006
28 Jan
'06
7:33 p.m.
Yo Timo, did you say that login processes "just don't crash"? Found these while doing load/malformed data tests. Got the kernel patch allow_setid_cores working. Don't have time to check if they're exploitable. Probably time to get a gamma version out for people, eh?
Cheers, Jared :)
=========================================================================================== Note: Running dovecot-1.0.beta2 with simple (no funniness) config Note: Running on Intel (in VmWare) with RH9. Note: I'm using shadow authentication, but tried with PAM and it still dumped. Note: For this first core, I see the server responding with: "*OK Waiting for authentication process to respond.." Note: Not sure, but I think these problems are timing related. Be sure to check if a pointer is valid and that will get rid of most of these. Note: I have plenty of sample cores if you need one to fix. -Jared DeMott
[root@server dovecot]# gdb ./dovecot-auth -c core.22753 GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... Core was generated by `dovecot-auth'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /lib/libpam.so.0...done. Loaded symbols for /lib/libpam.so.0 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/tls/libc.so.6...done. Loaded symbols for /lib/tls/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 auth_request_unref (_request=0x807b0f0) at auth-request.c:96 96 i_assert(request->refcount > 0); (gdb) bt #0 auth_request_unref (_request=0x807b0f0) at auth-request.c:96 #1 0x080523ee in auth_request_handler_unref (_handler=0x807b0f0) at auth-request-handler.c:66 #2 0x08050217 in auth_client_connection_destroy (_conn=0x807b0f0) at auth-client-connection.c:327 #3 0x0804ffd8 in auth_client_input (context=0x807b0f0) at auth-client-connection.c:227 #4 0x080607d0 in io_loop_handler_run (ioloop=0x8073100) at ioloop-poll.c:189 #5 0x0805fe29 in io_loop_run (ioloop=0x8073100) at ioloop.c:235 #6 0x08055329 in main (argc=1, argv=0xbfffe454) at main.c:309 #7 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6 (gdb) p request $1 = (struct auth_request *) 0x1 (gdb) i r eax 0x807b0f0 134721776 ecx 0x1 1 edx 0x6c 108 ebx 0x8084e78 134762104 esp 0xbfffe2f0 0xbfffe2f0 ebp 0xbfffe2f8 0xbfffe2f8 esi 0x80a43c8 134890440 edi 0xbfffe314 -1073749228 eip 0x80512d1 0x80512d1 eflags 0x286 646 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb)
[root@server 1]# gdb ./dovecot-auth -c core.30100 GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...
warning: exec file is newer than core file. Core was generated by `dovecot-auth'. Program terminated with signal 6, Aborted. #0 0xffffe002 in ?? () (gdb) bt #0 0xffffe002 in ?? () #1 0x42028a73 in ?? () #2 0x0805d47c in default_info_handler (format=0x8067d00 "\024P?u\024?u\020?u\f?u\b?\t", args=0xbffff264 "z|\006\b!") at failures.c:162 #3 0x0805d04b in t_buffer_alloc (size=1108544020) at data-stack.c:347 #4 0x0804fa54 in reply_line_hide_pass (line=0x1 <Address 0x1 out of bounds>) at auth-client-connection.c:35 #5 0x0804fa71 in reply_line_hide_pass (line=0x0) at auth-client-connection.c:36 #6 0x080523bb in auth_request_handler_unref (_handler=0x0) at auth-request-handler.c:74 #7 0x08052b65 in auth_request_handler_auth_continue (handler=0x0, args=0x80774e0 "HU\n\b") at auth-request-handler.c:350 #8 0x0805f916 in io_add (fd=2, condition=39, callback=0x80778e8, context=0x0) at ioloop.c:23 #9 0x080602c8 in io_loop_notify_remove (ioloop=0x0, io=0x8075b00) at ioloop-notify-dn.c:138 #10 0x0805f985 in io_add (fd=0, condition=1073792608, callback=0x80678bc <pwrite_full+64>, context=0x0) at ioloop.c:43 #11 0x08054f94 in add_extra_listeners () at main.c:148 #12 0x42015574 in ?? () (gdb) i r eax 0x0 0 ecx 0x6 6 edx 0x42130a14 1108544020 ebx 0x7594 30100 esp 0xbffff0e0 0xbffff0e0 ebp 0xbffff0e8 0xbffff0e8 esi 0x806daa8 134666920 edi 0x80e92e8 135172840 eip 0xffffe002 0xffffe002 eflags 0x246 582 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb)
[root@server login]# gdb ./imap-login -c core.25116 GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... Core was generated by `imap-login'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libssl.so.4...done. Loaded symbols for /lib/libssl.so.4 Reading symbols from /lib/libcrypto.so.4...done. Loaded symbols for /lib/libcrypto.so.4 Reading symbols from /lib/libresolv.so.2...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /usr/kerberos/lib/libgssapi_krb5.so.2...done. Loaded symbols for /usr/kerberos/lib/libgssapi_krb5.so.2 Reading symbols from /usr/kerberos/lib/libkrb5.so.3...done. Loaded symbols for /usr/kerberos/lib/libkrb5.so.3 Reading symbols from /usr/kerberos/lib/libk5crypto.so.3...done. Loaded symbols for /usr/kerberos/lib/libk5crypto.so.3 Reading symbols from /usr/kerberos/lib/libcom_err.so.3...done. Loaded symbols for /usr/kerberos/lib/libcom_err.so.3 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /lib/tls/libc.so.6...done. Loaded symbols for /lib/tls/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 i_stream_read (stream=0x0) at istream.c:48 48 if (stream->closed) (gdb) bt #0 i_stream_read (stream=0x0) at istream.c:48 #1 0x0804ade2 in client_read (client=0x8070410) at client.c:311 #2 0x0804ae3c in client_input (context=0x8070410) at client.c:333 #3 0x08055558 in io_loop_handler_run (ioloop=0x806cc50) at ioloop-poll.c:189 #4 0x08054bb1 in io_loop_run (ioloop=0x806cc50) at ioloop.c:235 #5 0x0804d3ed in main (argc=1, argv=0xbffff504, envp=0xbffff50c) at main.c:341 #6 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6 (gdb) p stream $1 = (struct istream *) 0x0 (gdb)
[root@server core]# gdb ./imap -c core.15043 GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...