[18568] in bugtraq
Re: major security bug in reiserfs (may affect SuSE Linux)
daemon@ATHENA.MIT.EDU (Jack Coates)
Fri Jan 12 12:00:28 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <20010110165238.C11233@felix.monkeynoodle.prv>
Date: Wed, 10 Jan 2001 16:52:38 -0800
Reply-To: Jack Coates <jack@MONKEYNOODLE.ORG>
From: Jack Coates <jack@MONKEYNOODLE.ORG>
X-To: Andreas Ferber <af@DEVCON.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010110185033.C28371@kallisto.home>; from af@DEVCON.NET on Wed,
Jan 10, 2001 at 09:50:33 -0800
I can confirm this root-kit hiding behavior on kernel 2.2.17 and
ReiserFS 3.5.28. However the kernel panic did not happen at 768
characters or 3379 characters.
--
Jack Coates
Monkeynoodle: It's what's for dinner!
On Wed, 10 Jan 2001 09:50:33 Andreas Ferber wrote:
> Hi,
>
> On Wed, Jan 10, 2001 at 12:42:01AM +0100, Marc Lehmann wrote:
>
> > We have tested and verified this problem on a number of different
> systems
> > and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other
> versions.
> >
> > Basically, you do:
> >
> > mkdir "$(perl -e 'print "x" x 768')"
> >
> > I.e. create a very long directory. The name doesn't seem to be of
> > relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for
> other
> > tests). This works. The next ls (or echo *) command will segfault
> and the
> > kernel oopses. all following accesses to the volume in question will
> oops
> > and hang the process, even afetr a reboot.
>
> Could not reproduce it on Linux 2.4.0 with ReiserFS 3.6.24.
>
> But I found some other strange things (everything tested on the
> abovementioned versions):
>
> If you start increasing the directory name length, everything works
> fine up to 3377 characters, as is with a length greater than 4032
> (mkdir says "File name to long" then).
>
> But if you choose a length between (including) 3378 and 4032, weird
> things happen: "ls" and "echo *" no longer show the directory (the
> directory is certainly there as you can "cd" into it and "pwd"
> correctly shows it) If the length is smaller than 3922, you can still
> show the directory with "find -maxdepth 1" (longer names even
> disappear from find).
>
> Also sometimes other entries in the directory you were creating the
> overlong name in start disappearing from ls. The only system I could
> find till now is for filename length <3922 that all files showing up
> in the find output after the long name are not shown by ls (the
> position changes if you change the name length, but for one particular
> length it is constant if you remove and recreate the directory several
> times)
>
> You can tell if a directory with an overlong name exists by looking at
> the size or the reference count of the parent directory:
>
> (630) root@kallisto: /var/spool # mkdir "$(perl -e 'print "x" x
> 4032')"
> (631) root@kallisto: /var/spool # ls -ld .
> drwxr-xr-x 17 root root 4381 Jan 10 17:58 .
> (632) root@kallisto: /var/spool # rmdir "$(perl -e 'print "x" x
> 4032')"
> (633) root@kallisto: /var/spool # ls -ld .
> drwxr-xr-x 16 root root 333 Jan 10 18:00 .
>
> Looks like a nearly perfect place for hiding rootkits or similar
> things if you manage to create a directory in manner that no other
> files or directories disappear :-/
>
> Just to make it clear, while doing all this, *no* kernel oops and no
> segfaults happened, so it doesn't seem to overwrite stack or similar
> bad things.
>
> The software versions used in the tests are:
>
> (638) root@kallisto: /var/spool # /lib/libc-2.1.3.so -V
> GNU C Library stable release version 2.1.3, by Roland McGrath et al.
> Copyright (C) 1992, 93, 94, 95, 96, 97, 98, 99 Free Software
> Foundation, Inc.
> This is free software; see the source for copying conditions.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> Compiled by GNU CC version 2.95.2 20000220 (Debian GNU/Linux).
> Compiled on a Linux 2.2.15 system on 2000-09-01.
> Available extensions:
> GNU libio by Per Bothner
> crypt add-on version 2.1 by Michael Glad and others
> linuxthreads-0.8 by Xavier Leroy
> BIND-4.9.7-REL
> NIS(YP)/NIS+ NSS modules 0.19 by Thorsten Kukuk
> NSS V1 modules 2.0.2
> libthread_db work sponsored by Alpha Processor Inc
> Report bugs using the `glibcbug' script to <bugs@gnu.org>.
> (639) root@kallisto: /var/spool # find --version
> GNU find version 4.1
> (640) root@kallisto: /var/spool # ls --version
> ls (GNU fileutils) 4.0l
> Written by Richard Stallman and David MacKenzie.
>
> Copyright (C) 1999 Free Software Foundation, Inc.
> This is free software; see the source for copying conditions. There
> is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
> PURPOSE.
> (641) root@kallisto: /var/spool # bash --version
> GNU bash, version 2.03.0(1)-release (i386-pc-linux-gnu)
> Copyright 1998 Free Software Foundation, Inc.
>
> Andreas
> --
> Andreas Ferber - dev/consulting GmbH - Bielefeld, FRG
> ---------------------------------------------------------
> +49 521 1365800 - af@devconsult.de - www.devconsult.de
>
