spying (deleted) file entries in other users' directories

From: FozZy (fozzyat_private)
Date: Sat Jun 22 2002 - 13:56:37 PDT

  • Next message: Michal Zalewski: "Re: Another flaw in Apache?"

    Hello,
    
    There is an old known (i hope) security issue if unpriviledged users are allowed to open() a directory to get a file descriptor and then read() the contents of this file. A directory is itself a file storing the names and inodes numbers (etc.) of the files it contains, including deleted ones. So if a user reads this file it can get the names of the deleted files. 
    
    The examples below show that on an old FreeBSD4.4, if you store files into a private directory readable only by you, then you remove every sensitive files and give read-only access to everyone on the directory (no execute perm needed), the filenames will still show up to any user. Same thing if you change the directory name, of course. (mv bad; rm then mkdir rules ;)
    
    This becomes an issue when sensitive information is disclosed into the filename.
    
    Sorry if it was already done on this mailing-list, but if not, I think it could be interesting to some people to know what systems are still vulnerable and what are not.
    - Linux is immuned: the read() call return the error EISDIR. OpenBSD seems also to be OK.
    - FreeBSD 4.4 is vulnerable (didn't looked the CVS, it could be patched at this time, anybody knows ?)
    - I saw this for the first time 3 years ago on a SunOS system while doing "cat /root" as a user. I don't know if current Sun systems are patched or not.
    
    Don't misunderstand me, this is not an advisory on a new vuln i discovered, it is a request to the security community for publishing more info on this topic, cause i am too lazy to check it myself (although a quick search on google and securityfocus gave me nothing).
    
    Regards,
    
    FozZy
    Hackademy / Hackerz Voice
    
    
    rooted# uname -v
    FreeBSD 4.4-RELEASE #0: Tue Sep 18 11:57:08 PDT 2001     murrayat_private:/usr/src/sys/compile/GE
    NERIC 
    rooted# mkdir /test
    rooted# touch /test/public-doc
    rooted# chmod 700 /test
    rooted# ls -ld /test
    drwx------  2 root  wheel  512 Jun 22 13:01 /test
    rooted# touch /test/confidential-doc
    rooted# <...some work with the doc here...>
    rooted# rm /test/confidential-doc 
    rooted# chmod 744 /test
    rooted# su guest
    $ hexdump -C /test
    00000000  2d 4a 00 00 0c 00 04 01  2e 00 00 00 02 00 00 00  |-J..............|
    00000010  0c 00 04 02 2e 2e 00 00  d7 4a 00 00 e8 01 08 0a  |.........J......|
    00000020  70 75 62 6c 69 63 2d 64  6f 63 00 c8 d8 4a 00 00  |public-doc...J..|
    00000030  d4 01 08 10 63 6f 6e 66  69 64 65 6e 74 69 61 6c  |....confidential|
    00000040  2d 64 6f 63 00 ec 70 c8  00 00 00 00 00 00 00 00  |-doc..p.........|
    00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
    *
    00000200
    $ /bin/ls /test
    public-doc
    $ exit
    rooted# ls -l /test
    -rw-r--r--  1 root  wheel  0 Jun 22 13:01 public-doc
    rooted# mv /test /public
    rooted# chmod 755 /public
    rooted# su guest
    $  ls -l /public
    -rw-r--r--  1 root  wheel  0 Jun 22 13:01 public-doc
    $ hexdump -C /public
    00000000  2d 4a 00 00 0c 00 04 01  2e 00 00 00 02 00 00 00  |-J..............|
    00000010  0c 00 04 02 2e 2e 00 00  d7 4a 00 00 e8 01 08 0a  |.........J......|
    00000020  70 75 62 6c 69 63 2d 64  6f 63 00 c8 d8 4a 00 00  |public-doc...J..|
    00000030  d4 01 08 10 63 6f 6e 66  69 64 65 6e 74 69 61 6c  |....confidential|
    00000040  2d 64 6f 63 00 ec 70 c8  00 00 00 00 00 00 00 00  |-doc..p.........|
    00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
    *
    00000200
    $ exit
    



    This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 12:47:12 PDT