[UNIX] GNU fileutils Recursive Directory Removal Race Condition
From: support@securiteam.comDate: 03/15/02
- Previous message: support@securiteam.com: "[NEWS] Trend Micro InterScan VirusWall HTTP Proxy Content Scanning Circumvention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 15 Mar 2002 12:17:43 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
GNU fileutils Recursive Directory Removal Race Condition
------------------------------------------------------------------------
SUMMARY
The <http://www.gnu.org/software/fileutils/fileutils.html> GNU File
Utilities are the basic file-manipulation utilities of the GNU operating
system.
A race condition in various utilities from fileutils GNU package may
enable local users to cause root to delete the whole filesystem.
DETAILS
Vulnerable systems:
fileutils 4.1 stable
fileutils 4.1.6 development version
An insecure chdir("..") syscall is done after removing content of a
subdirectory in order to get back to the upper directory during recursive
removal of directory tree.
Example of 'rm -fr /tmp/a' removing '/tmp/a/b/c' directory tree:
(strace output simplified for better readability)
chdir("/tmp/a") = 0
chdir("b") = 0
chdir("c") = 0
chdir("..") = 0
rmdir("c") = 0
chdir("..") = 0
rmdir("b") = 0
fchdir(3) = 0
rmdir("/tmp/a") = 0
After current directory is changed to /tmp/a/b/c a race condition occurs.
If we then move the /tmp/a/b/c directory to /tmp/c two subsequent
chdir("..") syscalls will move to the root directory / and rm will start
removing files from the whole file systems if it has enough privileges
(i.e. if called by root user).
The timeframe of this race condition depends on how complicated the
directory structure is.
The same issue also affects the mv utility when source and destination
directory lie on different filesystems and they are removed after creating
copy on destination.
Impact:
Unprivileged users may launch a daemon program that will detect the
removal operation of user's directories and exploit race condition leading
to Denial of Service.
Fix:
On March 7, 2002 the developers of GNU fileutils have been contacted. On
March 9, 2002 a patch fixing this vulnerability has been released for the
latest 4.1.6 development version:
See: <http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html>
http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:cliph@isec.pl> Wojciech
Purczynski from <http://isec.pl/> iSEC Security Research.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Trend Micro InterScan VirusWall HTTP Proxy Content Scanning Circumvention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
