Bugtraq mailing list archives
Re: Denial of Service Vulnerability in Sun AnswerBook2
From: "Charles J. Knipe" <charles () NEXUSLABS COM>
Date: Mon, 13 Nov 2000 14:01:25 -0500
Sun's Answerbook fails under certain conditions to delete temporary files that are built by its print function, filling /tmp, and causing the system to fail because processes cannot fork. Briefly, the dwhttp print function
Filling /tmp will not cause fork() to fail on a properly configured system. I assume the issue here is that /tmp is being drawn from swap, and when it fills, we have all manner of nasty problems. The solution to this is to mount /tmp with the size= argument to limit it's maxiumum size, or do not use tmpfs at all. There is still a danger of tmp filling up, but it will no longer crash the system. Also, I fail to see how this is a security vulnerability in AnswerBook. It is a definate bug, AnswerBook should be cleaning up after iteslf, but beyond that, it's an accidental exploitation of a system misconfiguration. Any fix applied to AnswerBook fails to fix the underlying misconfiguration, which can be exploited in various ways of ways. Accidently: cp * /tmp (where * is more than will fit in /tmp) On Purpose: dd if=/dev/zero of=/tmp/foo If you're going to use tmpfs, make sure you configure it right. -Charles
Current thread:
- Denial of Service Vulnerability in Sun AnswerBook2 Dave Monnier (Nov 14)
- Re: Denial of Service Vulnerability in Sun AnswerBook2 Charles J. Knipe (Nov 14)
- Re: Denial of Service Vulnerability in Sun AnswerBook2 GOMBAS Gabor (Nov 14)