>http://www.ms.mff.cuni.cz/~jkot2155/linuxbug.html > > While I was working on my master thesis (Emulation of [1]Classic > Operating Systems in [2]Distributed Environment), I found following > two nasty things in Linux sources: > > i_count Overflow Security Hole > > Member i_count in struct inode contains the usage count. It is of type > unsigned short, which is only 16-bit long on i386. Unfortunately, it > is not enough. You can make it overflow by mapping one file many > times: BSD 2.9 (maybe 4.1) had this problem also, in that case the link count was stored in a u_char, I think. (you needed to fork something line 23 processes or something to do it since the per process file descriptor table size was significantly smaller then the file's link counter). It was possible to hack root by opening a file in the / (root) filesystem till the that files link count was 0 (and thus it was added to the freelist). Next you would change your password or finger/gecos info a few times till "your" inode was reallocated and used for the password file thus leaving you a open file descriptor to the password file. Since I do not run Linux I can not test to see if you can do this under Linux I have some *old* exploit code for this at home on a disconnected system but since I am on the road I can get to it. I try to remember to send it to rootshell.com when I get home. -Pete
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:02 PDT