Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: hard links on Linux create local DoS vulnerability and security problems

From: vb () dontpanic ulm ccc de
Date: Tue, 25 Nov 2003 13:32:44 +0100
On Mon, Nov 24, 2003 at 05:36:29PM +0100, Jakob Lell wrote:

to another user. This hard link continues to exist even if the original file 
is removed by the owner. However, as the link still belongs to the original 
owner, it is still counted to his quota. If a malicious user creates hard 
links for every temp file created by another user, this can make the victim 
run out of quota (or even fill up the hard disk). This makes a local DoS 
attack possible.


Every *NIX filesystem has such links.

I cannot see a DoS-attack with that fact, because a user will address
his sysadmin with that problem. And the BOFH^Wsysadmin will then wag
a finger. The "attacker" has to be a local user also.

Of course, that is a design flow which is there because of the fact
that quotas were not implemented in the first UNIX filesystem versions.


Furthermore, users can even create links to a setuid binary. If there is a 
security whole like a buffer overflow in any setuid binary, a cracker can 
create a hard link to this file in his home directory. This link still exists 
when the administrator has fixed the security whole by removing or replacing 
the insecure program. This makes it possible for a cracker to keep a security 
whole open until an exploit is available. It is even possible to create links 
to every setuid program on the system. This doesn't create new security 
wholes but makes it more likely that they are exploited.


No.

Only a beginner would ignore the link count for a file when removing it
for security reasons. Every *NIX admin with basic knowledge of UNIX or
Linux will not ignore it.


I could reproduce the problem on linux 2.2.19 and 2.4.21 (and found nothing 
about it in the changelogs to 2.4.23-rc3). If you can check whether this 
problem also exists on other unix-like operating systems, please post the 
results.


This "problem" exists with all *NIX systems I know, but it is not
a big problem.

VB.
-- 
Volker Birk, Postfach 1540, 88334 Bad Waldsee, Germany
Phone +49 (7524) 912142, Fax +49 (7524) 996807, dingens () bumens org
http://fdik.org, Deutsches IRCNet fdik!~c_vbirk () wega rz uni-ulm de
PGP-Key: http://www.x-pie.de/vb.asc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: