TUCoPS :: Linux :: Slackware :: slakwhol.txt

imapd/ipop3d core dump in Slackware 3.4


Date: Mon, 2 Feb 1998 00:08:17 +0100
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@NETSPACE.ORG
Subject: imapd/ipop3d coredump in slackware 3.4

[attic bug report nr. 1]

While fooling around a little with NIS/YP (didn't get it completely
working...) I ran into a bug in the imapd and ipop3d that come with
slackware 3.4 (if you install the pine package).
Earlier slackware versions will problably NOT suffer from this bug,
because they did not include shadowing.

When fed an unknown username, imapd and ipop3d will dump core:

[root@koek] /# telnet zopie 110
Trying 10.10.13.1...
Connected to zopie.attic.vuurwerk.nl.
Escape character is '^]'.
+OK zopie.attic.vuurwerk.nl POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Washington.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET)
user root
+OK User name accepted, password please
pass linux
[this is not the correct password]
-ERR Bad login
user john
[i have no user named john]
+OK User name accepted, password please
pass doe
Connection closed by foreign host.

At this point ipop3d coredumps in /core:

[root@zopie] /# strings core | grep -A3 root
root
[crypted pw here]

10244
Sun Feb  1 23:45:15 1998
--
root:[crypted pw here]:10244:0:::::
halt:*:9797:0:::::
operator:*:9797:0:::::
shutdown:*:9797:0:::::
[looks like my /etc/shadow ;(]
--
root:[crypted pw here]:10244:0:::::
john
koek.attic.vuurwerk.nl
PASS

[I removed the pw because it's my own ;)]

Same goes for imapd:
Connected to zopie.attic.vuurwerk.nl.
* OK zopie.attic.vuurwerk.nl IMAP2bis Service 7.8(100) at Sun, 1 Feb 1998 23:53:00 +0100 (CET)
A001 LOGIN root linux
A001 NO Bad LOGIN user name and/or password
A002 LOGIN john doe
Connection closed by foreign host.

Doing the strings/grep again gives about the same result.

Running this under strace shows that the program reads /etc/passwd and
closes it again, then reopens it (to try the username in lowercase) and
reads again, followed by a SIGSEGV.

The bug is in (one of) the patches and diffs that are applied to
support shadowing in Linux.
81b
 The problem is in log_lnx.c.diff.gz:
-  if (!(pw && pw->pw_uid)) return NIL;
+/*  if (!(pw && pw->pw_uid)) return NIL; */

I have no idea why this check is removed (the programs continue to keep
working with this check enabled), but it breaks the whole thing.
A couple more patches are applied, after which 'build lnx' is executed.
Apparently Patrick Volkerding (maintainer of SlackWare, real cool guy I
think) didn't realize that 'build slx' does about the same, only safe...

Note that the dumped core is mode 600, _unless_ /core already exists, in
which case it's permissions are retained.

Greetz, Peter.

P.S. Does anybody know where a process like ipop3d leaves it's coredumps
_after_ the user has logged in, so that it's running under the users' id?


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH