LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for October 16, 2008

LK2008: Embedded and Mobile Linux

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

A kernel security hole

A kernel security hole

Posted Jan 17, 2008 14:57 UTC (Thu) by nix (subscriber, #2304)
Parent article: A kernel security hole 

I thought this only allowed open(..., ...  | O_TRUNC) on directories, allowing attackers to
truncate directories. If it allows writing to directories too (I'm behind a harsh firewall and
can't check right now), then I suspect this could be an exploitable hole as well as 'mere'
filesystem corruption.

Consider: this code amounts to allowing hostile attackers to call link() on arbitrary files,
even in subdirectories they cannot read, by editing the directory to include a reference to
whatever-it-is. But more than that, it allows them to call link() *without adjusting the link
count*.

So, imagine a system which had /tmp or /var/tmp or something user-writable on the same
directory as /. The hostile attacker creates a directory, opens it for writing, and attaches a
link to /etc/passwd (without readdir()ing it, so IIRC the directory won't be cached yet so the
changes will be picked up: if not, allocate a lot of memory to push the cached copy out).

Then unlink() that copy, and the link count will fall to zero, leading to /etc/passwd being
unlinked. It's not open all the time, so this now leads to /etc/passwd's blocks being freed.
So far, so corruption: but now the attacker fills up his/her quota with minimum-size files
containing the /etc/passwd contents he wants (up to the length of /etc/passwd beforehand, or
one block, whichever is smaller), then unlinks them again, repeatedly. Because /etc/passwd is
now a view onto free space, I suspect that if you do this for long enough, it would let the
attacker replace /etc/passwd's contents, with, say, a single root account without password :)
unsubtle, but still an attack.

(Again, I haven't been able to check the code from here, and I can't recall whether files
whose link count falls to zero get their size reset to zero as well. If so, this particular
attack is prevented, and 'all' the attacker would be able to do would be to in effect truncate
any file on a filesystem he could write to, rather than being able to write arbitrary content
to it.)

(Log in to post comments)

A kernel security hole

Posted Jan 17, 2008 16:33 UTC (Thu) by tbellman (guest, #49983) [Link] 

As far as I have been able to figure out, you can only truncate directories due to this bug,
not write arbitrary contents to them.  There are checks in place in the write() system call
that checks that you actually have opened the file with O_WRONLY or O_RDWR (but having those
set would stop you already in the open() call).

The bug also only allows you to truncate directories to which you already have write
permission.  I.e, you can truncate /tmp, but not /etc.

However, that is probably exploitable enough.  After clearing /tmp, you could then create a
new /tmp/.X11-unix/X0 socket going to your own program.  Any new X client would connect to
that and talk to your program, which could act as a man-in-the-middle, grabbing the X cookie
and gain access to the X server.  Or you can replace the socket to someone's ssh-agent, and
thus grab all ssh keys added after that.  (Normally, the sticky bit on /tmp prevents you from
doing this.)  I wouldn't be surprised if you can attack other programs too, by replacing
temporary files they don't expect to be replaced...

A kernel security hole

Posted Jan 18, 2008 21:40 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

Then unlink() that copy, and the link count will fall to zero, leading to /etc/passwd being unlinked. It's not open all the time, so this now leads to /etc/passwd's blocks being freed.

It doesn't unlink /etc/passwd (and that's the problem). What it does is delete the password file. /etc/passwd now points to a ghost inode.

So what you want to do to exploit this is create files until one happens to get that inode slot (i.e. inode number). Now you own the password file.

A kernel security hole

Posted Jan 18, 2008 21:44 UTC (Fri) by nix (subscriber, #2304) [Link] 

Argh. Yeah, that's worse: now you can put multi-block content in there 
fairly fast and without filling the disk up, which means you could e.g. 
copy the pre-existing /etc/passwd and remove root's password, or add a new 
uid 0 account... plus you own the file, too, I guess that's a security 
hole :)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds