[1693] in linux-security and linux-alert archive
[linux-security] overwrite any file with updatedb
daemon@ATHENA.MIT.EDU (Cain)
Mon Mar 2 22:52:37 1998
Resent-From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
Resent-To: linux-security@redhat.com
Reply-To: Cain <cain@TASAM.COM>
From: Cain <cain@TASAM.COM>
To: BUGTRAQ@NETSPACE.ORG
Date: Sun, 1 Mar 1998 22:44:11 -0500
[Mod: Headers modified -- alex]
If this is already known, my apologies. It seemed very strange that this
worked, so I thought it would be mentionable.
On many linux systems(Redhat imparticularly) updatedb is run nightly
around 1:00. When it sorts the files that find gets, it creats a few files
in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The
first file is created and filled, then if necassary, another is created
and so on until it has your whole filesystem into a nice database. Well,
once the first file is created you can easily guess what the next filename
will be called as only the last character will change. If you create a
link to say, the shadow password file, updatedb will kindly overwrite it
for you. Ex:
<assuming updatedb is running in the background>
$ ls /tmp
sort012340000 sort012340001
$ ln -s /etc/shadow /tmp/sort012340002
<wait for awhile to give updatedb time to write to our link>
$ ls /tmp
sort012340000 sort012340001 sort012340002 sort012340003
It's done, it will now clear out it's files from /tmp. Now go look at the
shadow password file. It will be quite larger then it was before. About
512k is it's new size. I played with this for awhile but couldn't find
anyway to write anything useful to any file except /etc/shells so you can
ftp into the system no matter what your specified shell is.
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null