charlesNEXUSLABS.COM

• Next message: Chris Evans: "More modutils: It's probably worse."
• Previous message: Wichert Akkerman: "Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)"
• In reply to: Dave Monnier: "Denial of Service Vulnerability in Sun AnswerBook2"
• Reply: Charles J. Knipe: "Re: Denial of Service Vulnerability in Sun AnswerBook2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Sun's Answerbook fails under certain conditions to delete temporary files
> that are built by its print function, filling /tmp, and causing the system
> to fail because processes cannot fork. Briefly, the dwhttp print function

Filling /tmp will not cause fork() to fail on a properly configured
system. I assume the issue here is that /tmp is being drawn from swap,
and when it fills, we have all manner of nasty problems. The solution to
this is to mount /tmp with the size= argument to limit it's maxiumum size,
or do not use tmpfs at all. There is still a danger of tmp filling up,
but it will no longer crash the system.
Also, I fail to see how this is a security vulnerability in AnswerBook.
It is a definate bug, AnswerBook should be cleaning up after
iteslf, but beyond that, it's an accidental exploitation of a system
misconfiguration.
Any fix applied to AnswerBook fails to fix the underlying
misconfiguration, which can be exploited in various ways of ways.
Accidently:
 cp * /tmp (where * is more than will fit in /tmp)
On Purpose:
 dd if=/dev/zero of=/tmp/foo

If you're going to use tmpfs, make sure you configure it right.

-Charles

• Next message: Chris Evans: "More modutils: It's probably worse."
• Previous message: Wichert Akkerman: "Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)"
• In reply to: Dave Monnier: "Denial of Service Vulnerability in Sun AnswerBook2"
• Reply: Charles J. Knipe: "Re: Denial of Service Vulnerability in Sun AnswerBook2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]