Bugtraq mailing list archives
Re: major security bug in reiserfs (may affect SuSE Linux)
From: Jack Coates <jack () MONKEYNOODLE ORG>
Date: Wed, 10 Jan 2001 16:52:38 -0800
I can confirm this root-kit hiding behavior on kernel 2.2.17 and ReiserFS 3.5.28. However the kernel panic did not happen at 768 characters or 3379 characters. -- Jack Coates Monkeynoodle: It's what's for dinner! On Wed, 10 Jan 2001 09:50:33 Andreas Ferber wrote:
Hi, On Wed, Jan 10, 2001 at 12:42:01AM +0100, Marc Lehmann wrote:We have tested and verified this problem on a number of differentsystemsand kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably otherversions.Basically, you do: mkdir "$(perl -e 'print "x" x 768')" I.e. create a very long directory. The name doesn't seem to be of relevance (we found this out by doing mkdir "$(cat /etc/hosts)" forothertests). This works. The next ls (or echo *) command will segfaultand thekernel oopses. all following accesses to the volume in question willoopsand hang the process, even afetr a reboot.Could not reproduce it on Linux 2.4.0 with ReiserFS 3.6.24. But I found some other strange things (everything tested on the abovementioned versions): If you start increasing the directory name length, everything works fine up to 3377 characters, as is with a length greater than 4032 (mkdir says "File name to long" then). But if you choose a length between (including) 3378 and 4032, weird things happen: "ls" and "echo *" no longer show the directory (the directory is certainly there as you can "cd" into it and "pwd" correctly shows it) If the length is smaller than 3922, you can still show the directory with "find -maxdepth 1" (longer names even disappear from find). Also sometimes other entries in the directory you were creating the overlong name in start disappearing from ls. The only system I could find till now is for filename length <3922 that all files showing up in the find output after the long name are not shown by ls (the position changes if you change the name length, but for one particular length it is constant if you remove and recreate the directory several times) You can tell if a directory with an overlong name exists by looking at the size or the reference count of the parent directory: (630) root@kallisto: /var/spool # mkdir "$(perl -e 'print "x" x 4032')" (631) root@kallisto: /var/spool # ls -ld . drwxr-xr-x 17 root root 4381 Jan 10 17:58 . (632) root@kallisto: /var/spool # rmdir "$(perl -e 'print "x" x 4032')" (633) root@kallisto: /var/spool # ls -ld . drwxr-xr-x 16 root root 333 Jan 10 18:00 . Looks like a nearly perfect place for hiding rootkits or similar things if you manage to create a directory in manner that no other files or directories disappear :-/ Just to make it clear, while doing all this, *no* kernel oops and no segfaults happened, so it doesn't seem to overwrite stack or similar bad things. The software versions used in the tests are: (638) root@kallisto: /var/spool # /lib/libc-2.1.3.so -V GNU C Library stable release version 2.1.3, by Roland McGrath et al. Copyright (C) 1992, 93, 94, 95, 96, 97, 98, 99 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled by GNU CC version 2.95.2 20000220 (Debian GNU/Linux). Compiled on a Linux 2.2.15 system on 2000-09-01. Available extensions: GNU libio by Per Bothner crypt add-on version 2.1 by Michael Glad and others linuxthreads-0.8 by Xavier Leroy BIND-4.9.7-REL NIS(YP)/NIS+ NSS modules 0.19 by Thorsten Kukuk NSS V1 modules 2.0.2 libthread_db work sponsored by Alpha Processor Inc Report bugs using the `glibcbug' script to <bugs () gnu org>. (639) root@kallisto: /var/spool # find --version GNU find version 4.1 (640) root@kallisto: /var/spool # ls --version ls (GNU fileutils) 4.0l Written by Richard Stallman and David MacKenzie. Copyright (C) 1999 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. (641) root@kallisto: /var/spool # bash --version GNU bash, version 2.03.0(1)-release (i386-pc-linux-gnu) Copyright 1998 Free Software Foundation, Inc. Andreas -- Andreas Ferber - dev/consulting GmbH - Bielefeld, FRG --------------------------------------------------------- +49 521 1365800 - af () devconsult de - www.devconsult.de
Current thread:
- major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann (Jan 09)
- Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux) John Morrison (Jan 09)
- Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux) Chris Mason (Jan 09)
- Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux) Vladimir V. Saveliev (Jan 09)
- Re: major security bug in reiserfs (may affect SuSE Linux) Andreas Ferber (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Mark Glines (Jan 12)
- Re: major security bug in reiserfs (may affect SuSE Linux) Jack Coates (Jan 12)
- Re: major security bug in reiserfs (may affect SuSE Linux) Gigi Sullivan (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Christian Zuckschwerdt (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Ryan Russell (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Christian Zuckschwerdt (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Felix von Leitner (Jan 12)
- Re: major security bug in reiserfs (may affect SuSE Linux) Ryan Russell (Jan 10)
- <Possible follow-ups>
- Re: major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Ben Greenbaum (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Thomas Mangin (Jan 12)