Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 May 2001 13:43:59 -0400
From:      "alexus" <ml@db.nexgen.com>
To:        "Nick Cleaton" <nick@cleaton.net>, <security@freebsd.org>
Subject:   Re: 4.3 Security: local DoS via clean-tmps
Message-ID:  <001301c0e542$474fd3b0$01000001@book>
References:  <20010525180354.A434@lt1.cleaton.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
how can i make sure that i dont have this enabled? and if there a fix for
that?

----- Original Message -----
From: "Nick Cleaton" <nick@cleaton.net>
To: <security@freebsd.org>
Sent: Friday, May 25, 2001 1:03 PM
Subject: 4.3 Security: local DoS via clean-tmps


>
> Tested in 4.3-RELEASE only:
>
> If /etc/periodic/daily/clean-tmps is enabled, then it's possible
> for any local user to trick it into calling unlink() or rmdir()
> on anything in the root directory.
>
> The problem is that "find -delete" can be made to do chdir("..")
> multiple times followed by unlink() and/or rmdir().
>
>    588 find     CALL  chdir(0x280e227d)
>    588 find     NAMI  ".."
>    588 find     RET   chdir 0
>    588 find     CALL  chdir(0x280e227d)
>    588 find     NAMI  ".."
>    588 find     RET   chdir 0
>    588 find     CALL  chdir(0x280e227d)
>    588 find     NAMI  ".."
>    588 find     RET   chdir 0
>    588 find     CALL  chdir(0x280e227d)
>    588 find     NAMI  ".."
>    588 find     RET   chdir 0
>    588 find     CALL  unlink(0x8051440)
>    588 find     NAMI  "sys"
>
> This means it can be tricked into going up too high by moving
> its current directory higher up the hierarchy, by for example
> doing "mv /tmp/1/2/3 /tmp/4" while find's working directory is
> somewhere under "/tmp/1/2/3".
>
> The attached exploit will cause it to delete the /home -> /usr/home
> symlink.  I think this would render it impossible to log into a
> system configured for non-root ssh access via DSA key only.
>
> This could also be used to unlink other users' files in /tmp
> without regard to their age.
>
> --
> Nick Cleaton
> nick@cleaton.net
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001301c0e542$474fd3b0$01000001>