X-RDate: Mon, 23 Mar 1998 09:25:44 +0500 (ESK)
Date: Mon, 16 Mar 1998 02:20:37 +0100
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@NETSPACE.ORG
Subject: /tmp race in Linux kernel source!
Ok.. got all your attention there? It's not as bad as it looks ;)
But there _is_ a /tmp race in /usr/src/linux/scripts/Configure, as used by
make config (which is, IMHO, obsoleted by make menuconfig):
if [ -f $DEFAULTS ]; then
echo "#"
echo "# Using defaults found in" $DEFAULTS
echo "#"
. $DEFAULTS
sed -e 's/# \(.*\) is not.*/\1=n/' < $DEFAULTS > /tmp/conf.$$
. /tmp/conf.$$
rm /tmp/conf.$$
else
File is created and sourced. What more could you wish?
And to exploit you'll have from start of script to this point to catch it
and create a fifo in /tmp.
You know the rest (think GCC symlink exploit): get whatever it puts into
the fifo and give it back with a little extra, like creating suid shell in
/tmp.
Greetz, Peter.
------------------------------------------------------------------------------
'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk
to believe that the world is not my problem . network security consultant
I am the world. And you are the world.' . (yeah, right...)
Live - 10.000 years (peace is now) . peter@attic.vuurwerk.nl
------------------------------------------------------------------------------
2:08am up 1 day, 12:05, 6 users, load average: 1.10, 1.18, 1.17
------------------------------------------------------------------------------
