Re: overwrite any file with updatedb

[dhg () DEC NET (Dave G.)]

> If this is already known, my apologies. It seemed very strange that this
> worked, so I thought it would be mentionable.

It is known.  See KSR[T] Advisory #3( http://www.dec.net/ksrt/adv3.html ).

> On many linux systems(Redhat imparticularly) updatedb is run nightly
> around 1:00. When it sorts the files that find gets, it creats a few files
> in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The
> first file is created and filled, then if necassary, another is created
> and so on until it has your whole filesystem into a nice database. Well,
> once the first file is created you can easily guess what the next filename
> will be called as only the last character will change. If you create a
> link to say, the shadow password file, updatedb will kindly overwrite it
> for you. Ex:
>
> I played with this for awhile but couldn't find
> anyway to write anything useful to any file except /etc/shells so you can
> ftp into the system no matter what your specified shell is.

The consequences are more serious than that.  A carefully crafted filename
in a world writable directory that updatedb processes could lead to a root
compromise.  One could overwrite root's .rhosts or .login.

This could easily lead to a root compromise.

Dave G.


David Goldsmith                                            dhg () dec net
DEC Consulting                                      http://www.dec.net
Software Development/Internet Security         http://www.dec.net/~dhg