fileutils 4.1

Matthias Benkmann matthias at winterdrache.de
Fri May 17 06:58:42 PDT 2002


On Fri, 17 May 2002 01:05:19 +0100 Ian Molton <spyro at armlinux.org> wrote:

> On Thu, 16 May 2002 19:12:24 -0400
> Gerard Beekmans <gerard at linuxfromscratch.org> wrote:
> 
> > > or are you (lfs dev ppl) waiting for the next (non-devel) fileutils
> > > release to incorporate it into lfs? (my first thought)
> > 
> what is the exploitable security risk, anyway?

If I understood the problem properly (I only read a very brief security
notice from a distro vendor, so this may be inaccurate) it works like this

root wants to delete the home directory of user malicious like this

cd /home/
rm -rf malicious

Now rm begins to descend recursively. At some point it reaches the
directory /home/malicious/pictures/porn and starts erasing it. User
malicious is also logged in at the same time and notices that his porn
files are disappearing. He does the following:

mv /home/malicious/pictures/porn /home/malicious

thereby moving /home/malicious/pictures/porn  to directory
/home/malicious/porn.

After rm has finished erasing the porn directory, it goes up one level in
the directory hierarchy. This used to be the directory
/home/malicious/pictures but because of the move it's now /home/malicious.
rm wipes this directory also and goes up yet another level. But what used
to be /home/malicious is now /home and rm happily starts erasing the
complete /home dir tree.


I see 3 major ways how this can be exploited: 

a) automated scripts to wipe /tmp. If these are run in a situation where
user processes may run (don't forget that a user does not need to be
logged in to run a process, a cron job could be prepared to start the
exploit as soon as possible after reboot) a user can use the above attack
method to delete the whole file system.

b) a background process that waits for the home directory to be cleared on
account termination, e.g. a revenge program of a fired employee. Only
effective if user processes are not killed before removing /home/user.

c) semantic attack on the admin to get him to delete a directory in /tmp
or /home. Example: cute female student to admin:"I can't delete this
directory. I am soooo helpless. Pleease Mr Admin show me how to do it."

Scenario c) is probably the most dangerous :-)

MSB

-- 
I am Pentium of Borg. Precision is futile.
Prepare to be approximated!

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-dev' in the subject header of the message



More information about the lfs-dev mailing list