"Dmitry E. Oboukhov" <[EMAIL PROTECTED]> writes:
> On 18:42 Wed 13 Aug , Brian May wrote:
>> Dmitry E. Oboukhov wrote:
>>> qemu makes mount the directory /tmp/mount.$$. Attacker creates many
>>> symlinks /tmp/dir.\d+ -> /etc and if qemu
>>> (/usr/sbin/qemu-make-debian-root) starts then /etc goes
>>> out from root directory tree. The result: system is unusable.
>>>
>> I might be dense, but I don't get this.
>
>> Attacker does:
>
>> [EMAIL PROTECTED]:/tmp# ln -s /etc /tmp/mount-1234
>
>> Then the genuine user does:
>
>> [EMAIL PROTECTED]:/tmp# mkdir /tmp/mount-1234
>> mkdir: cannot create directory `/tmp/mount-1234': File exists
>
>> strace shows:
>> mkdir("/tmp/pmount-1234", 0777) = -1 EEXIST (File exists)
>
>> So, ok, this means the process can't continue any more (denial of
>> service attack), and if the process does continue this is a problem,
>> otherwise I can't see how this would bring the entire system down.
>
>> Brian May
>
> yes, set -e directive is present in this script :)
Don't know if this is considered an attack, but root may be tricked into
unmounting a file system pointed to by the symlink since the script also
does:
cleanup()
{
echo Cleaning up... >&2
umount -d /tmp/mount.$$ || true
rm -f $IMAGE.ext2 $IMAGE
}
trap cleanup EXIT
This will of course not do anything if the file system is busy which
limits its useability as a DoS attack. Anyway, it wouldn't harm if the
script used mktemp.
Bjørn
--
You know, Lassie was Moonie
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
