[UNIX] GNU rm Denial of Service

From: SecuriTeam (support_at_securiteam.com)
Date: 08/30/05

  • Next message: SecuriTeam: "[EXPL] IIS Information Disclosure" 
    To: list@securiteam.com
Date: 30 Aug 2005 18:38:26 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      GNU rm Denial of Service
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.gnu.org/software/fileutils/fileutils.html> The GNU File
    Utilities are the basic file-manipulation utilities of the GNU operating
    system."

    When attempting to delete big list of directories in directory-tree, rm
    crashes.

    DETAILS

    Vulnerable Systems:
     * rm (fileutils) version 4.1

    Immune Systems:
     * rm (fileutils) version 5.2.1

    Deleting 14986 (or more) sub directories with the same directory-tree with
    rm allow users to crash rm and may even execute arbitrary code.

    Proof of Concept:
    $ gdb -q /bin/rm
    (no debugging symbols found)...(gdb)
    (gdb) r -rf A
    Starting program: /bin/rm -rf A
    (no debugging symbols found)...(no debugging symbols found)...
    Program received signal SIGSEGV, Segmentation fault.
    0xb7e880dc in __lxstat64 () from /lib/libc.so.6
    (gdb) i r
    eax 0xbf711138 -1083109064
    ecx 0x804d820 134535200
    edx 0x0 0
    ebx 0x0 0
    esp 0xbf711000 0xbf711000
    ebp 0xbf711088 0xbf711088
    esi 0x809c1fb 134857211
    edi 0x80a6c70 134900848
    eip 0xb7e880dc 0xb7e880dc
    eflags 0x10286 66182
    cs 0x73 115
    ss 0x7b 123
    ds 0x7b 123
    es 0x7b 123
    fs 0x0 0
    gs 0x0 0
    fctrl 0x37f 895
    fstat 0x20 32
    ftag 0xffff 65535
    fiseg 0x73 115
    fioff 0x804b728 134526760
    foseg 0x7b 123
    fooff 0x804d828 134535208
    fop 0x6d9 1753
    mxcsr 0x1f80 8064
    orig_eax 0xffffffff -1
    (gdb)

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:h4sh@globo.com> Carlos
    Carvalho.
    The original article can be found at:
    <http://nutshell.gotfault.net/papers/adv_rm.txt>
    http://nutshell.gotfault.net/papers/adv_rm.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] IIS Information Disclosure"

    Relevant Pages