Date: Fri, 25 May 2001 13:43:59 -0400 From: "alexus" <ml@db.nexgen.com> To: "Nick Cleaton" <nick@cleaton.net>, <security@freebsd.org> Subject: Re: 4.3 Security: local DoS via clean-tmps Message-ID: <001301c0e542$474fd3b0$01000001@book> References: <20010525180354.A434@lt1.cleaton.net>
next in thread | previous in thread | raw e-mail | index | archive | help
how can i make sure that i dont have this enabled? and if there a fix for that? ----- Original Message ----- From: "Nick Cleaton" <nick@cleaton.net> To: <security@freebsd.org> Sent: Friday, May 25, 2001 1:03 PM Subject: 4.3 Security: local DoS via clean-tmps > > Tested in 4.3-RELEASE only: > > If /etc/periodic/daily/clean-tmps is enabled, then it's possible > for any local user to trick it into calling unlink() or rmdir() > on anything in the root directory. > > The problem is that "find -delete" can be made to do chdir("..") > multiple times followed by unlink() and/or rmdir(). > > 588 find CALL chdir(0x280e227d) > 588 find NAMI ".." > 588 find RET chdir 0 > 588 find CALL chdir(0x280e227d) > 588 find NAMI ".." > 588 find RET chdir 0 > 588 find CALL chdir(0x280e227d) > 588 find NAMI ".." > 588 find RET chdir 0 > 588 find CALL chdir(0x280e227d) > 588 find NAMI ".." > 588 find RET chdir 0 > 588 find CALL unlink(0x8051440) > 588 find NAMI "sys" > > This means it can be tricked into going up too high by moving > its current directory higher up the hierarchy, by for example > doing "mv /tmp/1/2/3 /tmp/4" while find's working directory is > somewhere under "/tmp/1/2/3". > > The attached exploit will cause it to delete the /home -> /usr/home > symlink. I think this would render it impossible to log into a > system configured for non-root ssh access via DSA key only. > > This could also be used to unlink other users' files in /tmp > without regard to their age. > > -- > Nick Cleaton > nick@cleaton.net > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001301c0e542$474fd3b0$01000001>