[538] in Best-of-Security
BoS: Symlink bug with GCC 2.7.2
daemon@ATHENA.MIT.EDU (Richard Kenny)
Sun Jan 18 14:44:11 1998
X-Delivering-To: best-of-security-mtg@menelaus.mit.edu
XDelivering-To: best-of-security@cyber.com.au
Delivering-To: best-of-security@cyber.com.au
Date: Fri, 2 Jan 1998 20:21:04 -0600
Reply-To: Richard Kenny <rkenny@CRIMELAB.NET>
From: Richard Kenny <rkenny@CRIMELAB.NET>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: Richard Kenny <rkenny@CRIMELAB.NET>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Hi. This is my first post, so please be gentle ;)
Also, sorry if this is a known bug, but i couldn't find anything about
it in the archives from the past few months.
i got bored today, so i played around a bit with some stuff...
this is one interesting thing i saw ->
[root@busted]-[/tmp]# (ps -aux|grep gcc);ls -la
root 1683 0.0 2.1 856 324 4 S 18:25 0:00 gcc -o z zed.c
<junk snipped>
-rw-rw-r-- 1 root root 33583 Jan 2 18:25 cca02383.i
-rw-rw-r-- 1 root root 0 Jan 2 18:25 cca02383.s
-rw-rw-r-- 1 root root 41 Jan 2 18:56 purly.pl
hrm... this didn't quite look quite right... i made some symlinks (about
50 or so, rather than spend some time to be accurate) with the
names "cca02490.s" to "cca02550.s" to a file called "purly.pl"
Then i ran gcc a few hundred times, just for good measure...
-rwxrwxr-x 1 root root 2386 Jan 2 18:44 purly.pl
[root@busted]-[/tmp]# head purly.pl -n 2
.file "zed.c"
.version "01.01"
hello! this isn't the "hello world!" thing i used to have...
The ramifications of this? And file that can be read, can be
destroyed with some time and effort on the part of an attacker...
(Mind you, it might be a *lot* of time, but who knows)
Richard Kenny
--
rkenny@crimelab.net
