Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Red Hat/Fedora :: dcheck.htm

Redhat 6.x diskcheck - possible root or arbitrary file write compromise



Vulnerability

    diskcheck

Affected

    RH 6.x

Description

    Jin-Ho You  posted following.   Note that  this has  been  already
    reported in:

        http://oliver.efri.hr/~crv/security/bugs/Linux/various.html

    DiskCheck  is  a  Perl  script  that  monitors  how  much space is
    available on  your hard  drive.   Basically, it  checks your drive
    space every hour and takes  action based on the specifications  in
    the config file /etc/diskcheck.conf.

    The command, /etc/cron.hourly/diskcheck.pl  is executed with  root
    privilege every hour.  It creates a temporary file, whose  default
    name     is      /tmp/diskusagealert.txt.<pid>     defined     in
    /etc/diskcheck.conf,  is  predictable  and  is  willing  to follow
    symbolic links.   This may allow  malicious local users  to create
    or overwrite arbitrarily named files.

    To exploit, the following cron job creates the file, /etc/nologin:

        0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \
           symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }'

Solution

    Relocate the temporary file into the directory where root only can
    create a file.  For example, edit /etc/diskcheck.conf:

        $tempfile = '/var/local/diskusagealert.txt'

        # ls -ld /var/local
        drwxr-xr-x   2 root     root         1024 Feb  7  1996 /var/local/

    It is fixed in Red Hat's current rawhide, and in Red Hat Pinstripe
    (7.0 beta).

    For Conectiva Linux:

        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/noarch/diskcheck-3.1.1-3cl.noarch.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/noarch/diskcheck-3.1.1-3cl.noarch.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/ferramentas/ecommerce/noarch/diskcheck-3.1.1-3cl.noarch.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/ferramentas/graficas/noarch/diskcheck-3.1.1-3cl.noarch.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/diskcheck-3.1.1-3cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/SRPMS/diskcheck-3.1.1-3cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/ferramentas/ecommerce/SRPMS/diskcheck-3.1.1-3cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/ferramentas/graficas/SRPMS/diskcheck-3.1.1-3cl.src.rpm


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH