GNU rm fileutils race condition problems on SuSE

From: Paul Starzetz (paulat_private)
Date: Thu May 16 2002 - 04:43:25 PDT

Next message: David McKenzie: "RE: MS02-023 does not patch actual issue!"

Previous message: Thomas Biege: "Re: [security-intern] [securityat_private] FWD - GNU rm fileutils race condition problems on SuSE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

the following issue has been reported to SuSE about 2 months ago:


1. Problem description
----------------------

There is an exploitable call to the vulnerable rm -rf command in 
/etc/cron.daily/aaa_base_clean_core as follows:

#
# paranoia settings
#
umask 022

PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
TMPDIR=/var/tmp/cron.daily.$$
rm -rf $TMPDIR


This script is run every day as ROOT even if the user didn't set the 
DELETE_OLD_CORE variable in /etc/rc.config!


2. Details
----------

As pointed out by Wojciech Purczynski <mailto:cliphat_private> 
<cliphat_private <mailto:cliphat_private>> there is a race condition in the 
GNU 'rm' utility while removing directories recursively. In particular 
it is possible to create a deply nested directory structure in /tmp, 
 wait for removal of one of the leafs and quickly move the directory 
root 2 levels up. This will force rm to chdir("..") two levels more than 
intended, resulting in the removal of the complete file system.

An exploit code will not be released, but exploitation is very 
straightforward, since the race window can be made mostly as big as 
needed (it is even possible to exploit this vulnerability 'by hand'). 
One needs to create a directory structure like this:

/tmp/cron.daily.PID/root/1/2/3/4/5/6/7/8/......./N
                        /(N+1)/(N+2)/.........../2*N
                        .........................

and wait for the removal of the 'N' leaf. This can be easiliy 
acomplished since the clean_core script is called at a very well defined 
time (between 0:15:00 and about 0:15:15 every day) - so we can create X 
of those nested directories, wait until 15:00, get the next pid and 
begin to move those directories to match the next X pids. Guessing the 
next pid can be done by reading /proc/stat and evaluating the 
'processes' entry (or less elegant by continuous forking :-).


3. Impact
-----------

This vulnerability leads to a denial of service attack on SuSE Linux 
systems. As far as tested SuSE Linux <= 7.3 seems to be vulnerable. The 
8.0 release has not been tested yet.


/ih

Next message: David McKenzie: "RE: MS02-023 does not patch actual issue!"
Previous message: Thomas Biege: "Re: [security-intern] [securityat_private] FWD - GNU rm fileutils race condition problems on SuSE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 16 2002 - 15:28:54 PDT