> If this is already known, my apologies. It seemed very strange that this > worked, so I thought it would be mentionable. > It is known. See KSR[T] Advisory #3( http://www.dec.net/ksrt/adv3.html ). > On many linux systems(Redhat imparticularly) updatedb is run nightly > around 1:00. When it sorts the files that find gets, it creats a few files > in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The > first file is created and filled, then if necassary, another is created > and so on until it has your whole filesystem into a nice database. Well, > once the first file is created you can easily guess what the next filename > will be called as only the last character will change. If you create a > link to say, the shadow password file, updatedb will kindly overwrite it > for you. Ex: > > I played with this for awhile but couldn't find > anyway to write anything useful to any file except /etc/shells so you can > ftp into the system no matter what your specified shell is. > The consequences are more serious than that. A carefully crafted filename in a world writable directory that updatedb processes could lead to a root compromise. One could overwrite root's .rhosts or .login. This could easily lead to a root compromise. Dave G. David Goldsmith dhgat_private DEC Consulting http://www.dec.net Software Development/Internet Security http://www.dec.net/~dhg
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:31 PDT