The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[linux-security] overwrite any file with updatedb


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Tue, 03 Mar 1998 16:40:17 +0500 (ESK)
Date: Sun, 1 Mar 1998 22:44:11 -0500
From: Cain <[email protected]>
To: [email protected]
Subject: [linux-security] overwrite any file with updatedb

[Mod: Headers modified -- alex]

If this is already known, my apologies. It seemed very strange that this
worked, so I thought it would be mentionable.

On many linux systems(Redhat imparticularly) updatedb is run nightly
around 1:00. When it sorts the files that find gets, it creats a few files
in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The
first file is created and filled, then if necassary, another is created
and so on until it has your whole filesystem into a nice database. Well,
once the first file is created you can easily guess what the next filename
will be called as only the last character will change. If you create a
link to say, the shadow password file, updatedb will kindly overwrite it
for you. Ex:

<assuming updatedb is running in the background>
$ ls /tmp
sort012340000 sort012340001

$ ln -s /etc/shadow /tmp/sort012340002
<wait for awhile to give updatedb time to write to our link>

$ ls /tmp
sort012340000 sort012340001 sort012340002 sort012340003

It's done, it will now clear out it's files from /tmp. Now go look at the
shadow password file. It will be quite larger then it was before. About
512k is it's new size. I played with this for awhile but couldn't find
anyway to write anything useful to any file except /etc/shells so you can
ftp into the system no matter what your specified shell is.

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe [email protected] < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру