On Tue, 08 Feb 2005 01:48:40 GMT, David Wagner said: > How would /etc/passwd get clobbered? Are you thinking that a tmp > cleaner run by cron might delete /tmp/whatever (i.e., delete the hardlink > you created above)? But deleting /tmp/whatever is safe; it doesn't affect > /etc/passwd. I'm guessing I'm probably missing something.
The attack is to hardlink some tempfile name to some file you want over-written.
This usually involves just a little bit of work, such as recognizing that a
given
root cronjob uses an unsafe predictable filename in /tmp (look at the Bugtraq or
Full-Disclosure archives, there's plenty). Then you set a little program that
sleep()s till a few seconds before the cronjob runs, does a getpid(), and then
sprays hardlinks into the next 15 or 20 things that mktemp() will generate...
Consider how bash implements "here" scripts:
#!/bin/bash
echo << EOF
some trash
EOF
Now let's look at the strace (snipped for brevity..)
statfs("/tmp", {f_type="EXT2_SUPER_MAGIC", f_bsize=1024, f_blocks=253871,
f_bfree=213773, f_bavail=200666, f_files=65536, f_ffree=65445, f_fsid={0, 0},
f_namelen=255, f_frsize=1024}) = 0
time(NULL) = 1107828098
open("/tmp/sh-thd-1107848098", O_WRONLY|O_CREAT|O_TRUNC|O_EXCL|O_LARGEFILE,
0600) = 3
dup(3) = 4
fcntl64(4, F_GETFL) = 0x8001 (flags O_WRONLY|O_LARGEFILE)
fstat64(4, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7d71000
_llseek(4, 0, [0], SEEK_CUR) = 0
write(4, "some trash\n", 11) = 11
close(4) = 0
munmap(0xb7d71000, 4096) = 0
open("/tmp/sh-thd-1107848098", O_RDONLY|O_LARGEFILE) = 4
close(3) = 0
unlink("/tmp/sh-thd-1107848098") = 0
fcntl64(0, F_GETFD) = 0
fcntl64(0, F_DUPFD, 10) = 10
fcntl64(0, F_GETFD) = 0
fcntl64(10, F_SETFD, FD_CLOEXEC) = 0
dup2(4, 0) = 0
close(4) = 0
Wow - if my /tmp was on the same partition, and I'd hard-linked that
file to /etc/passwd, it would be toast now if root had run it.
You usually can't control what gets written - but often it's sufficient for the
attacker to simply get a file clobbered....
pgp1unSohNbRA.pgp
Description: PGP signature
