On Tue, 08 Feb 2005 01:48:40 GMT, David Wagner said: > How would /etc/passwd get clobbered? Are you thinking that a tmp > cleaner run by cron might delete /tmp/whatever (i.e., delete the hardlink > you created above)? But deleting /tmp/whatever is safe; it doesn't affect > /etc/passwd. I'm guessing I'm probably missing something.
The attack is to hardlink some tempfile name to some file you want over-written. This usually involves just a little bit of work, such as recognizing that a given root cronjob uses an unsafe predictable filename in /tmp (look at the Bugtraq or Full-Disclosure archives, there's plenty). Then you set a little program that sleep()s till a few seconds before the cronjob runs, does a getpid(), and then sprays hardlinks into the next 15 or 20 things that mktemp() will generate... Consider how bash implements "here" scripts: #!/bin/bash echo << EOF some trash EOF Now let's look at the strace (snipped for brevity..) statfs("/tmp", {f_type="EXT2_SUPER_MAGIC", f_bsize=1024, f_blocks=253871, f_bfree=213773, f_bavail=200666, f_files=65536, f_ffree=65445, f_fsid={0, 0}, f_namelen=255, f_frsize=1024}) = 0 time(NULL) = 1107828098 open("/tmp/sh-thd-1107848098", O_WRONLY|O_CREAT|O_TRUNC|O_EXCL|O_LARGEFILE, 0600) = 3 dup(3) = 4 fcntl64(4, F_GETFL) = 0x8001 (flags O_WRONLY|O_LARGEFILE) fstat64(4, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d71000 _llseek(4, 0, [0], SEEK_CUR) = 0 write(4, "some trash\n", 11) = 11 close(4) = 0 munmap(0xb7d71000, 4096) = 0 open("/tmp/sh-thd-1107848098", O_RDONLY|O_LARGEFILE) = 4 close(3) = 0 unlink("/tmp/sh-thd-1107848098") = 0 fcntl64(0, F_GETFD) = 0 fcntl64(0, F_DUPFD, 10) = 10 fcntl64(0, F_GETFD) = 0 fcntl64(10, F_SETFD, FD_CLOEXEC) = 0 dup2(4, 0) = 0 close(4) = 0 Wow - if my /tmp was on the same partition, and I'd hard-linked that file to /etc/passwd, it would be toast now if root had run it. You usually can't control what gets written - but often it's sufficient for the attacker to simply get a file clobbered....
pgp1unSohNbRA.pgp
Description: PGP signature