[Full-Disclosure] Re: hard links on Linux create local DoS vulnerability and security problems

vb_at_dontpanic.ulm.ccc.de
Date: 11/25/03

  • Next message: vb_at_dontpanic.ulm.ccc.de: "Re: [Full-Disclosure] os x 10.2.x has 8 character password limit"
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
    Date: Tue, 25 Nov 2003 13:32:44 +0100
    
    

    On Mon, Nov 24, 2003 at 05:36:29PM +0100, Jakob Lell wrote:
    > to another user. This hard link continues to exist even if the original file
    > is removed by the owner. However, as the link still belongs to the original
    > owner, it is still counted to his quota. If a malicious user creates hard
    > links for every temp file created by another user, this can make the victim
    > run out of quota (or even fill up the hard disk). This makes a local DoS
    > attack possible.

    Every *NIX filesystem has such links.

    I cannot see a DoS-attack with that fact, because a user will address
    his sysadmin with that problem. And the BOFH^Wsysadmin will then wag
    a finger. The "attacker" has to be a local user also.

    Of course, that is a design flow which is there because of the fact
    that quotas were not implemented in the first UNIX filesystem versions.

    > Furthermore, users can even create links to a setuid binary. If there is a
    > security whole like a buffer overflow in any setuid binary, a cracker can
    > create a hard link to this file in his home directory. This link still exists
    > when the administrator has fixed the security whole by removing or replacing
    > the insecure program. This makes it possible for a cracker to keep a security
    > whole open until an exploit is available. It is even possible to create links
    > to every setuid program on the system. This doesn't create new security
    > wholes but makes it more likely that they are exploited.

    No.

    Only a beginner would ignore the link count for a file when removing it
    for security reasons. Every *NIX admin with basic knowledge of UNIX or
    Linux will not ignore it.

    > I could reproduce the problem on linux 2.2.19 and 2.4.21 (and found nothing
    > about it in the changelogs to 2.4.23-rc3). If you can check whether this
    > problem also exists on other unix-like operating systems, please post the
    > results.

    This "problem" exists with all *NIX systems I know, but it is not
    a big problem.

    VB.

    -- 
    Volker Birk, Postfach 1540, 88334 Bad Waldsee, Germany
    Phone +49 (7524) 912142, Fax +49 (7524) 996807, dingens@bumens.org
    http://fdik.org, Deutsches IRCNet fdik!~c_vbirk@wega.rz.uni-ulm.de
    PGP-Key: http://www.x-pie.de/vb.asc
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: vb_at_dontpanic.ulm.ccc.de: "Re: [Full-Disclosure] os x 10.2.x has 8 character password limit"