[6197] in bugtraq
Re: overwrite any file with updatedb
daemon@ATHENA.MIT.EDU (Dave G.)
Mon Mar 2 17:08:28 1998
Date: Mon, 2 Mar 1998 12:22:29 -0800
Reply-To: "Dave G." <dhg@DEC.NET>
From: "Dave G." <dhg@DEC.NET>
X-To: Cain <cain@TASAM.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.96.980301224352.10578B-100000@tasam.com>
> If this is already known, my apologies. It seemed very strange that this
> worked, so I thought it would be mentionable.
>
It is known. See KSR[T] Advisory #3( http://www.dec.net/ksrt/adv3.html ).
> On many linux systems(Redhat imparticularly) updatedb is run nightly
> around 1:00. When it sorts the files that find gets, it creats a few files
> in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The
> first file is created and filled, then if necassary, another is created
> and so on until it has your whole filesystem into a nice database. Well,
> once the first file is created you can easily guess what the next filename
> will be called as only the last character will change. If you create a
> link to say, the shadow password file, updatedb will kindly overwrite it
> for you. Ex:
>
> I played with this for awhile but couldn't find
> anyway to write anything useful to any file except /etc/shells so you can
> ftp into the system no matter what your specified shell is.
>
The consequences are more serious than that. A carefully crafted filename
in a world writable directory that updatedb processes could lead to a root
compromise. One could overwrite root's .rhosts or .login.
This could easily lead to a root compromise.
Dave G.
David Goldsmith dhg@dec.net
DEC Consulting http://www.dec.net
Software Development/Internet Security http://www.dec.net/~dhg
