lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031125123244.GB18349@dontpanic.ulm.ccc.de>
Date: Tue, 25 Nov 2003 13:32:44 +0100
From: vb@...tpanic.ulm.ccc.de
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: hard links on Linux create local DoS vulnerability and security problems


On Mon, Nov 24, 2003 at 05:36:29PM +0100, Jakob Lell wrote:
> to another user. This hard link continues to exist even if the original file 
> is removed by the owner. However, as the link still belongs to the original 
> owner, it is still counted to his quota. If a malicious user creates hard 
> links for every temp file created by another user, this can make the victim 
> run out of quota (or even fill up the hard disk). This makes a local DoS 
> attack possible.

Every *NIX filesystem has such links.

I cannot see a DoS-attack with that fact, because a user will address
his sysadmin with that problem. And the BOFH^Wsysadmin will then wag
a finger. The "attacker" has to be a local user also.

Of course, that is a design flow which is there because of the fact
that quotas were not implemented in the first UNIX filesystem versions.

> Furthermore, users can even create links to a setuid binary. If there is a 
> security whole like a buffer overflow in any setuid binary, a cracker can 
> create a hard link to this file in his home directory. This link still exists 
> when the administrator has fixed the security whole by removing or replacing 
> the insecure program. This makes it possible for a cracker to keep a security 
> whole open until an exploit is available. It is even possible to create links 
> to every setuid program on the system. This doesn't create new security 
> wholes but makes it more likely that they are exploited.

No.

Only a beginner would ignore the link count for a file when removing it
for security reasons. Every *NIX admin with basic knowledge of UNIX or
Linux will not ignore it.

> I could reproduce the problem on linux 2.2.19 and 2.4.21 (and found nothing 
> about it in the changelogs to 2.4.23-rc3). If you can check whether this 
> problem also exists on other unix-like operating systems, please post the 
> results.

This "problem" exists with all *NIX systems I know, but it is not
a big problem.

VB.
-- 
Volker Birk, Postfach 1540, 88334 Bad Waldsee, Germany
Phone +49 (7524) 912142, Fax +49 (7524) 996807, dingens@...ens.org
http://fdik.org, Deutsches IRCNet fdik!~c_vbirk@...a.rz.uni-ulm.de
PGP-Key: http://www.x-pie.de/vb.asc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists