The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Linux inode.i_count overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Thu, 15 Jan 1998 15:07:21 +0500 (ESK)
Date: Wed, 14 Jan 1998 13:02:58 -0800
From: Pete <shipley@DIS.ORG.>
To: [email protected]
Subject: Re: Linux inode.i_count overflow

>http://www.ms.mff.cuni.cz/~jkot2155/linuxbug.html
>
>   While I was working on my master thesis (Emulation of [1]Classic
>   Operating Systems in [2]Distributed Environment), I found following
>   two nasty things in Linux sources:
>
>                        i_count Overflow Security Hole
>
>   Member i_count in struct inode contains the usage count. It is of type
>   unsigned short, which is only 16-bit long on i386. Unfortunately, it
>   is not enough. You can make it overflow by mapping one file many
>   times:




BSD 2.9 (maybe 4.1) had this problem also, in that case the link count
was stored in a u_char, I think.  (you needed to fork something line 23
processes or something to do it since the per process file descriptor
table size was significantly smaller then the file's link  counter).

It was possible to hack root by opening a file in the / (root)
filesystem till the that files link count was 0  (and thus it was
added to the freelist).  Next you would change your password or
finger/gecos info a few times till "your" inode was reallocated
and used for the password file thus leaving you a open file descriptor
to the password file.

Since I do not run Linux I can not test to see if you can do this under Linux

I have some *old* exploit code for this at home on a disconnected
system but since I am on the road I can get to it. I try to remember to
send it to rootshell.com when I get home.

                -Pete

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру