Bugtraq mailing list archives
Re: overwrite any file with updatedb
From: dhg () DEC NET (Dave G.)
Date: Mon, 2 Mar 1998 12:22:29 -0800
If this is already known, my apologies. It seemed very strange that this worked, so I thought it would be mentionable.
It is known. See KSR[T] Advisory #3( http://www.dec.net/ksrt/adv3.html ).
On many linux systems(Redhat imparticularly) updatedb is run nightly around 1:00. When it sorts the files that find gets, it creats a few files in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The first file is created and filled, then if necassary, another is created and so on until it has your whole filesystem into a nice database. Well, once the first file is created you can easily guess what the next filename will be called as only the last character will change. If you create a link to say, the shadow password file, updatedb will kindly overwrite it for you. Ex: I played with this for awhile but couldn't find anyway to write anything useful to any file except /etc/shells so you can ftp into the system no matter what your specified shell is.
The consequences are more serious than that. A carefully crafted filename in a world writable directory that updatedb processes could lead to a root compromise. One could overwrite root's .rhosts or .login. This could easily lead to a root compromise. Dave G. David Goldsmith dhg () dec net DEC Consulting http://www.dec.net Software Development/Internet Security http://www.dec.net/~dhg
Current thread:
- overwrite any file with updatedb Cain (Mar 01)
- Re: overwrite any file with updatedb Kragen (Mar 02)
- Re: overwrite any file with updatedb Kragen (Mar 02)
- Re: overwrite any file with updatedb Dave G. (Mar 02)
- Re: overwrite any file with updatedb Jeff Murphy (Mar 02)
- Re: overwrite any file with updatedb Bryan Andregg (Mar 02)
- updatedb stuff Cain (Mar 02)